Biometric Technology Application Manual - ITI Observatorio ...

Biometric Technology
Application Manual
Volume 1
Biometric Basics
Compiled and Published by
National Biometric Security Project
Revised:
Summer 2008

Biometric Technology Application Manual Volume 1 iii
Table of Contents
Abstract ...........................................................................................ix
About the Biometric Technology Application
Manual (BTAM) .......................................................................ix
About the National Biometric Security Project ..........x
Purpose and Objectives .....................................................xi
Volume 1: Biometrics Basics ......................................... xiii
Volume 2: Applying Biometrics ................................... xiii
Intended Audience ............................................................ xv
Disclaimer ............................................................................. xvi
Updates and Errata ............................................................ xvi
Foreword ..............................................................................xvii
Section 1: Introduction ..............................................................1
Levels of Identification ........................................................ 1
Biometrics for Identity Management ............................ 6
Section 2: Fundamentals of Biometrics ...............................1
The Origin of Biometrics 7 ................................................... 1
How Biometric Technologies Work—In General ...........5
Overview of Applications ................................................10
Errors and Error Rates ........................................................13
Failure to Acquire ................................................................16
Personal Biometric Criteria ..............................................17
Biometric System-Level Criteria ....................................18
Key Elements of Biometric Systems 15 ..........................19
Biometric Performance Metrics .....................................29
Template Storage Considerations ................................33
Terms and Definitions Related to Biometrics ...........37
Section 3: Types of Biometric Technologies .......................1
Dynamic Signature Analysis ............................................. 2
Facial Imaging or Recognition ......................................... 5
Fingerprint .............................................................................12
Hand Geometry ...................................................................18
Iris Recognition ....................................................................21
Keystroke Analysis/Keystroke Dynamics ...................25
Palmprint ...............................................................................30
Version 2 – Summer 2008

Volume I iv Table of Contents
Retinal Scan ..........................................................................32
Skin Spectroscopy/Skin Texture/Skin Contact ........35
Speaker Verification ...........................................................38
Vascular Biometrics ............................................................43
Other Biometric Technologies .......................................62
Section 4: The Biometric System Design Process .................1
System Concept Development ....................................... 2
Operational Considerations and Constraints ............. 5
The Requirements Definition ........................................... 7
The System Specification .................................................12
Biometric Access Control ................................................14
The Architectural Aspects of an Automated Access
Control Portal .......................................................................24
Critical Performance Expectations ...............................29
Examples of Access Control Systems ..........................34
Section 5: Structure of Biometric Standards ..................... 1
Introduction ............................................................................ 1
Current Work in Biometric Standards
Development..... ..................................................................14
International Standards Organizations ......................15
BioAPI Consortium .............................................................26
Common Biometric Exchange Framework Format
(CBEFF) ....................................................................................27
ANSI NIST Standards ..........................................................29
Biometric Consortium .......................................................30
Other Standards ..................................................................31
Best Practices in Standards Development ................32
Section 6: Testing and Evaluation ..........................................1
Introduction ............................................................................ 1
Understanding Biometric System Performance ....... 3
Comparison of Types of Testing ...................................... 6
Technology Testing .............................................................. 7
Scenario Testing .................................................................... 8
Operational Testing .............................................................. 8
ROC, DET, CMC Curves .....................................................13
Version 2 – Summer 2008

Biometric Technology Application Manual Volume 1 v
Measuring Biometric Performance ..............................16
Performance Measures .....................................................18
The Qualified Products List .................................................20
The NBSP/BSI QPL Performance Test ...........................21
Demographics .....................................................................22
Sample Size ...........................................................................22
The NBSP/BSI Conformance Test ..................................23
Other Types of Testing ......................................................25
Vulnerability Testing ..........................................................25
Security Testing ...................................................................27
Interoperability Testing ....................................................28
ISO/IEC 17025 Accreditation ..........................................28
Other Testing Considerations.........................................30
Scalability and Usability ...................................................30
Compliance with Standards ...........................................31
Testing Protocols .................................................................34
Evaluation Protocols ..........................................................36
Technology and Product Evaluations .........................37
Testing Organizations .......................................................41
Section 7: Biometric Social and Cultural Implications ...1
Section 7, Part I: Societal Issues—Legal
Considerations and Implications .................................... 1
U.S. Law and Implications .................................................. 8
Impact on Civil Liberties 87 ................................................14
Implications for Federal Agencies ................................16
International Considerations ..........................................18
Summary ................................................................................34
Section 7, Part II: Societal Issues—Privacy
Considerations .....................................................................35
Summary ................................................................................72
Section 7, Part III: Societal Issues—User Acceptance
Considerations ....................................................................72
Section 8: Trends and Implications .......................................1
Trends ....................................................................................... 2
Implications ..........................................................................11
Summary ................................................................................16
Version 2 – Summer 2008

Volume I vi Table of Contents
Bibliography and References ...................................................1
Legal Cases Cited ....................................................................... 12
Acknowledgments .................................................................... 13
BTAM Index .....................................................................................1
Version 2 – Summer 2008

Biometric Technology Application Manual Volume 1 vii
List of Figures
Figure 1-1 A complete identity management system. 7
Figure 2-1 Chart demonstrating “Bertillonage”
measurements. .............................................................................. 2
Figure 2-2 Generic Biometric Process....................................... 5
Figure 2-3 Diagram of a “generic” biometric-based system.6
Figure 2-4 Minutia-based fingerprint image with detected
minutia points marked. ....................................25
Figure 2-5 Example of decision threshold for an iris
recognition system. ...........................................28
Figure 2-6 Graphs showing intersection between FAR
and .................................................FRR for verification.
30
Figure 3-1 Examples of fingerprint ridge patterns. ..........13
Figure 3-2 Minutia-based fingerprint image with detected
minutia points marked. ....................................15
Figure 3-3 Iris image showing unique structure. .........21
Figure 3-4 An iris image with an IrisCode ® . ....................22
Figure 3-5 Example of palmprint patterns. ....................30
Matrix I Comparison of Biometric Technologies –
Matrix I ....................................................................47
Matrix II Comparison of Biometric Technologies –
Version 2 – Summer 2008

Volume I viii Table of Contents
Matrix II ..................................................................56
Figure 3-6 Structure of the external ear. ............................. 66
Figure 4-1 ...................................................................................24
Figure 4-2 ...................................................................................28
Figure 5-1 Structure of Biometric Standards ................... 3
Figure 5-2 Biometric Standards Activities ......................25
Sec. 6 Comparison of Algorithm, Scenario, and Operational
Testing ....................................................................11
Figure 6-1 Example ROC curve. ..........................................13
Figure 6-2 Example DET curve. ...........................................14
Figure 6-3 Example CMC curve. .........................................15
Version 2 – Summer 2008

Biometric Technology Application Manual Volume 1 ix
Abstract
About the Biometric Technology
Application Manual (BTAM)
Published by the National Biometric Security Project
(NBSP), the Biometric Technology Application Manual
(BTAM) is a comprehensive reference manual on biometric
technology applications. This reference book, in three
volumes, has been compiled for biometric technology
users and for those who are evaluating biometrics as an
enabling technology within an integrated system or program
for security and identification management. The
BTAM is intended to be a rational and practical tool for
those who specify, buy, integrate, operate, and manage
biometric technology-based systems.
The experienced biometric practitioner will see much
that is familiar in the BTAM. The publication is not
a revelation of new content. Rather, it is designed to
inform the rapidly growing community of new users,
designers, and integrators, and assist them in their search
for practical application solutions. Hopefully, it will
prove to be the standard desktop reference on the subject
of biometrics for all levels of interest and experience.
Generally, this manual has been compiled for and is intended
for individuals and organizations with responsibility
for protecting civil infrastructure and related applications
including, but are not limited to:
•
•
Civil infrastructure agencies
Other government agencies
Version 2 – Summer 2008

Volume I x Abstract
•
•
•
•
Private sector
Academic institutions
International organizations, businesses, groups, and
governments
Consultants and practitioners in biometrics
About the National Biometric Security
Project
The National Biometric Security Project (NBSP) is a tax exempt,
nonprofit 501(c)(3) organization incorporated and
headquartered in Bowie, MD. It is designed to perform
independent public services in support of anti-terrorist
and homeland security objectives. That service provides
unbiased support in the application of biometric technology
from the development of standards to focused
testing, research, training, and education for all public
and private sectors with responsibility for security of the
civilian national infrastructure.
The organization is designed for vigorous and economical
mission performance from its laboratory, the Biometric
Services International, LLC (BSI) located in Morgantown,
West Virginia, that provides testing, training, and
data services exclusively in biometric-related subjects.
Testing services include objective certification of products
based on a general set of criteria common to all
biometric technology and standards conformance for
listing on a general Qualified Products List (QPL), as well
as specialized testing for homeland security applications
and other special client needs. Training programs focus
on general orientation, operator/user training, and certi-
Version 2 – Summer 2008

Biometric Technology Application Manual Volume 1 xi
fied technician training. Data Services provides reference
materials in hard and web-based versions and maintains
special databases for support of biometric and identity
management activities.
NBSP’s permanent staff is efficiently supplemented, as required,
by external organizations contracted to perform
substantive research and technical work, highly specialized
and experienced consultants, and research organizations
focused on biometric or identity matters, such as
the Center for Identification Technology Research (CITeR)
at West Virginia University and other academic institutions
associated with CITeR.
Purpose and Objectives
•
•
•
•
•
Learning and comparing how various biometric technologies
perform and have performed in real-world
applications (both successfully and unsuccessfully),
and why.
Providing a means to evaluate various biometric solutions
based on specific application parameters and
requirements.
Determining where, when, and why a biometricbased
solution is a good fit, or when, where, and why
it is not.
Supporting technology evaluation by defining the
questions to ask, identifying other considerations
and understanding the issues generated by the need
for interoperability.
Helping to answer such questions as: How do I evalu-
Version 2 – Summer 2008

Volume I xii Abstract
ate various systems? How do I integrate/apply the
technology? How do I use the technology? What is
the best technology for my application?
The BTAM is published in three parts: Volume 1, Volume
2, and Volume 3,which also includes an Appendix. These
volumes are different from other textbooks and research
reports on biometrics because they are: (1) specifically
focused on the practical needs of the new user as well
as the more familiar practitioner; and (2) are maintained
on a current basis to avoid short shelf-life. The BTAM is
designed to treat real world requirements in a “how to”
approach that goes beyond theory but avoids inundating
the reader in technical detail.
There is a significant volume of valuable work on the
subject of biometrics by many authors. The BTAM was
not published to replace that body of work, but rather to
compile some of the best of that content in an organized
and focused product with emphasis on the user. Equally
important, the objective of the BTAM is to help solve the
issue of short shelf-life of biometric publications in a rapidly
evolving technology base by including a process for
regular updating of each volume.
In researching and compiling the BTAM, the authors relied
heavily on secondary research from already-published,
public sources. For a list of the reference materials,
authors, publications, and other sources used and
referenced in this compilation, please see appropriate
footnotes as well as the Bibliography.
Volume 1: Biometric Basics (updated
Version 2 – Summer 2008

Biometric Technology Application Manual Volume 1 xiii
Summer 2008)
Volume 1 is a primer on biometrics as it presents and defines
biometrics, including:
•
•
•
•
•
•
The types and fundamentals of the various technologies
and how they work;
How system requirements should be defined and the
appropriate performance specifications to consider;
An update on biometric standards development;
Why biometric standards are critical to integrating
full-solution systems;
Insight regarding testing protocols and system
evaluation;
Description of the various societal issues—legal, privacy,
and user psychology—that are critical to selecting
and implementing a successful biometric-based
security and identification management solution.
Volume 2: Applying Biometrics
Volume 2 is the follow-up to Volume 1, moving from
the basic information about biometrics more generally
to specific case studies and applications. A common
theme throughout Volume 2 addresses the issue of what
a buyer/end-user needs to know to make an informed
decision about which technologies will work best for a
given application. This is supplemented with case studies
of biometric technologies—why the technology worked
Version 2 – Summer 2008

Volume I xiv Abstract
(or didn’t work); and why it was chosen over other options.
Applications presented are both United States and
non-United States, and include civil infrastructure (both
government and private sector), state and regional, and
urban and local examples.
Additionally, Volume 2 helps the reader assess system
selection and management; define security needs and
objectives; design and integrate biometrics; understand
and plan for maintenance and system services; and design
and implement appropriate user and operator training
programs.
Sections to be included in the BTAM Volume 2 include 1 :
Section 9: System Requirements and Selection
Section 10: Applications and Design
Section 11: Integration and Installation
Section 12: Operations and Management
Section 13: Maintenance and Services
Section 14: Training
Biometric Application Case Studies
Appendices
a.
Biometric Selection and Application Checklist
1 Section titles and content are subject to change prior to pub-
lication of BTAM Volumes 2 and 3.
Version 2 – Summer 2008

Biometric Technology Application Manual Volume 1 xv
b.
c.
d.
e.
Internet Resources
Biometric Publications
Education and Training Resources
Industry Associations
Volume 3: Biometric Case Studies, Best
Practices, and Business Cases
Volume 3 will be the largest collection available of case
studies, to date, and will include end-user interface evaluation
and privacy impact details. Volume 3 will be segmented
into government, private, and education applications.
Topics that will be discussed include:
•
•
•
Identification of large and small-scale government,
private industry, and educational applications of
biometrics
Input from end-user representatives of these programs
to produce case studies of the biometric applications
to include privacy impact details, as available
Evaluations and details of business cases for large
and small-scale programs.
Intended Audience
This manual is predominantly intended for individuals
with responsibility for security and protection of the civil
infrastructure and related applications. Those who will
Version 2 – Summer 2008

Volume I xvi Abstract
find this manual helpful include, but are not limited to:
•
•
•
•
•
•
•
•
•
Security directors/managers in both the private and
public sectors
Chief Security Officers (CSO)
Chief Information Officers (CIO)
Chief Information Security Officers (CISO)
Chief Privacy Officers (CPO)
Infrastructure Assurance and Risk Assurance Managers
Site security officials in both the private and public
sectors
Biometrics and security systems integrators
Vendors who seek insight on the requirements for
their products
Disclaimer
The National Biometric Security Project (NBSP) and the
Biometric Technology Application Manual (BTAM) do not
and cannot provide legal advice nor is the BTAM a substitute
for professional engineering design support. The
information in this publication is for general information
purposes only. None of the information contained in
Volume 1, Volume 2, and Volume 3, is intended to be or
should be relied upon as specific or definitive for designing
a particular program, system, process, or legal policy.
The reader should obtain the advice of a suitably quali-
Version 2 – Summer 2008

Biometric Technology Application Manual Volume 1 xvii
fied engineer, attorney, or experienced practitioner before
taking any action in the application and use of any of
the information contained in this publication.
Updates and Errata
NBSP intends to regularly update the BTAM with new and
revised material from all relevant sources. NBSP is also
interested in the comments and feedback of its readers.
Every effort has been made to contact copyright holders
for content and images used in this manual. The publisher
apologizes in advance for any unintentional omissions
and will insert appropriate acknowledgments in subsequent
editions of the publication.
Foreword
Few would theoretically deny the unique nature of each
member of the human race. In virtually every aspect of
our being, people demonstrate combinations of characteristics,
physical, emotional, and behavioral, which
set us apart from everyone else on the planet, including
those who preceded us here. Acknowledging the unique
quality of each human life has not, unfortunately, always
supported a further recognition that our “uniqueness”
deserves the dignity, respect, and equality that should be
afforded every individual. Perhaps our historical inability
to measure that quality of “uniqueness” has contributed
to the lapses between the theoretical acceptance of our
unique nature and the social errors that ignore our individuality.
One of the greatest social documents in the history of
Version 2 – Summer 2008

Volume I xviii Abstract
civilization declares “all men are created equal....”; yet
through ignorance or deviousness, many have worked
throughout history to deny us that equality and even
our individuality. An argument may be made that technology
that supports proof of our unique human quality,
also supports our equality under creation. From that
perspective, the science or technology of identification
should be viewed as one of the most significant developments
in the history of man.
Mankind has searched from antiquity for a method or
device to assert and affirm individual identity. In those
communications or transactions requiring some assurance
of authority or non-repudiation, some sign or seal
became a necessary component to validate or certify the
execution of the action. So, still today, we require at least
a signature to complete the deal.
The search for the perfect assurance of identity or “uniqueness”
is not over. But the technology of biometrics addressed
by this manual has clearly established that such
an objective is not only achievable, but is in early practical
form, ready and waiting for effective use.
The issue of how this technology impacts the treasured
right of or desire for “privacy” and our “civil liberties” is a
valid concern. Any advance in automated human identification
can be a double-edged sword; abused by those
who dismiss the importance of the individual for the
“greater good,” but also holding the potential as a tool for
enhanced individuality and protection of identity when
used properly. Achieving the proper balance is also discussed
later in this work.
The term “biometrics” is derived from the function of
measuring biological characteristics. For purposes of
Version 2 – Summer 2008

Biometric Technology Application Manual Volume 1 xix
this manual, biometrics is used to generally describe the
art and science of capturing a personal characteristic,
feature, or trait, for subsequent use in a system or subsystem
designed for automated human identification or
recognition.
Biometrics is not an overnight sensation. The years of
development of the technology are now in the fourth
decade if confined to its automated form, and can be
measured in centuries if it includes all rational attempts
to measure and compare human characteristics. As in
many other areas, advances in computer technology
also accelerated the capabilities and quality of biometric
technology. In studying its potential and considering
specific applications for use, it is important to appreciate
its substantive qualities and inherent limitations. Make
no mistake however, there is no equivalent substitute for
biometrics in the automated human identification function,
and any claim to the contrary, including those who
assert we can rely on “something we have” or “something
we know” without biometrics, must be treated with great
skepticism. Later in the manual, distinctions between
this assertion and other functions such as authentication
(where other alternatives with or without biometrics do
exist) will be clarified.
Biometrics are not only here to stay as the best component
of an automated identification program but have
hardly begun to scratch the surface in responding to
the need for the ultimate measure and validation of our
unique individual nature.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 1 1
Section 1: Introduction
Levels of Identification
Biometric technologies are automated methods for recognizing
individuals based on biological and behavioral
characteristics.
Biometric technology involves the capture and storage
of a distinctive, measurable characteristic, feature, or trait
of an individual for subsequently recognizing that individual
by automated means.
Automated methods of recognizing a person based on a
biological or behavioral characteristic is the basic tenet
underlying biometrics. As a “modern day” technology,
biometrics has been around since the 1960s. Biometric
authentication is the “automatic,” “real-time,” “non-
forensic” subset of the broader field of human identification.
2 Humans recognize each other according to their
various characteristics. For example, friends, family, and
co-workers recognize each other by faces and voices.
A biometric system is essentially a pattern recognition
system that recognizes a person by comparing the binary
code of a uniquely specific biological or physical
characteristic to the binary code of the stored characteristic.
Samples are taken from individuals to see if there is
similarity to biometric references previously taken from
known individuals. The system then applies a specialized
mathematical algorithm to the sample and converts
2 Fundamentals of Biometric Authentication Technologies. James L.
Wayman. National Biometric Test Center. Used with permission.
Version 2 – Summer 2008

Section 1 2 Introduction
it into a binary code and then compares it to the template
sample to determine if the individual can be recognized.
In the case of access control, a person requesting
access will be asked to submit a sample and (often,
but not always) claim an “identity” or “oneness of source”
with a template already stored. If the acquired sample is
adequately similar to the claimed stored template, the
access authorizations for the template can be checked
and applied to the live person now seeking access. A
reference model or reference containing the biometric
properties of a person is stored in the system (generally
after data compression) by recording his/her characteristics.
These characteristics may be acquired several times
during enrollment in order to get a reference profile that
corresponds most with reality.
Establishing human identity (“oneness” with a person
already known to the system) reliably and conveniently
has become a major challenge for a modern-day society.
The explosive growth in Internet connectivity and
human mobility has led to new models of person-to-person
interaction that require new ways of proving identity,
establishing trust, and authorizing access. Biometric
technologies developed in response to this growing
worldwide demand for automated human identification
include—as discussed in this manual—finger, face, hand,
iris, and other identifiers. All of these rely on the science
of pattern recognition to establish an individual’s identity
based on stable physical patterns on his/her body.
Today’s technology has reached a level of maturity that
biometrics are now relied upon by an increasing number
of applications in security, identity programs, and identity
management systems. 3
3 From The Science and Technology of Biometrics and Managing Human
Identity. Joseph Atick, Identix, Inc.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 1 3
This measurable characteristic, the biometric, can be
primarily anatomical—such as eye, face, finger image,
hand, and voice—or primarily behavioral—such as signature
and typing rhythm, but most biometrics combine
both anatomical and behavioral components. The biometric
system must be able to identify a person based
on one or a combination of these biometric identifiers
quickly, automatically, and with little or no human intervention
in the decision.
With biometric technology, a more robust level of security
and protection can be achieved in the identification
component of access control, ID, and verification
programs.
Three basic means or levels of identification are often
referred to in identity management functions:
•
•
•
The lowest level is defined as “something you have”
in your possession, such as an ID badge with a photograph
on it.
The second level is “something you know,” such as a
password used with computer login or PIN code to
use at a bank ATM.
The highest level is “who you are,” which encompasses
biometrics - the measurement of physical characteristics
or traits.
It is important to note that biometric technologies, even
at their best, are not the panacea to security and identification
issues. To achieve the most robust level of security,
biometric technologies need to be part of a broader
and complete risk management system that incorporates
multiple security technologies.
Version 2 – Summer 2008

Section 1 4 Introduction
There are several mature biometric systems available in
the market today and many successful applications of
biometric technology. The technology has proven capable
of decreasing costs and increasing convenience
for both users and system administrators. Furthermore,
properly employed these systems are capable of improving
privacy and resisting identity theft.
One of the major impediments to widespread implementation
of biometric technologies at the consumer level is
the wide variety of competing, vendor-proprietary devices
that have been developed without general standardization.
The primary barriers to using biometrics more
broadly in the private sector have had to do with limited
compliance with existing standards, scalability of the systems,
interoperability, usability, security, buyer concerns
about return on investment (ROI), and issues concerning
attacks on privacy. Each of these barriers have reasonable
solutions or are susceptible to an effective and acceptable
compromise..
The costs of biometric devices and software have declined
rapidly over recent years and the technology is now being
offered as a standard component in a number of security
applications, such as laptop computer login and
facility access control. In addition, significant increases in
computing power, along with continuing advancements
in biometric software algorithms and sensor hardware,
have resulted in vastly improved speed and accuracy for
the more widely used biometric methods. Since the tragic
events of September 11, 2001, governments have rushed
to embrace biometrics as a key component in their multilayered
security systems for anti-terrorism and homeland
security applications such as border control.
Utilized in isolation or integrated with other technolo-
Version 2 – Summer 2008

Biometric Technology Application Manual Section 1 5
gies, such as smart cards, encryption keys, and digital signatures,
biometrics are poised to pervade all aspects of
the economy. Utilizing biometrics for personal authentication
is more secure than current keys, passwords,
and PINs since it verifies the identity of a specific person
rather than confirming the validity of a number or
the possession of a card or token. With the rapid growth
of electronic commerce there is a growing need to authenticate
the identity of a person for secure transaction
processing. Biometric technologies are poised to form
the foundation of an array of highly secure, fast, accurate,
and user-friendly identification and personal verification
solutions.
Privacy concerns are more pronounced when it comes
to implementing biometric-based systems in private,
consumer-facing applications. Biometric data, a mathematical
representation of the anatomical feature, is separate
and distinct from personal and private information
whose loss is at the heart of privacy concerns. Although
biometric data have been resistant to reverse engineering,
both data sets need to be secured to allay these concerns.
Because of these inherent attributes, biometrics
are an effective means to further secure privacy and
deter identity theft, but their application must be carefully
designed to achieve that objective. For example,
biometrics can be used for computer and network access
control purposes, thereby restricting unauthorized
personnel from gaining access to sensitive business and
personal information. With the improvement in technology
and decrease in prices, the use of biometrics should
expand at an ever-increasing rate.
Version 2 – Summer 2008

Section 1 6 Introduction
Biometrics for Identity Management
What is identity management? Identity management
is defined as “the registration, storage, protection,
issuance, and assurance of a user’s personal identifier(s)
and privilege(s) in an electronic environment in a secure,
efficient, and cost-effective manner.” 4
Identity management is an increasing concern across the
public and private sectors. In the private sector it is most
frequently thought of in the context of identity theft. According
to FDIC figures, 10 million Americans suffered
identity theft in 2003 with a cost to business in excess
of US$50 billion and a personal impact that is difficult to
estimate. As staggering as this sum is, identity theft is at
the heart of significantly broader economic vulnerabilities
and national security concerns. Using biometrics to
develop identity theft countermeasures has direct impact
on civil infrastructure protection.
Authentication and identification of people are critical to
eliminating threats to national security and public safety,
and securing business transactions. As technology
advances and public policy debates continue over the
pros and cons of national identity programs, the identity
management industry continues to grow and change.
Specific to biometric technologies, increased attention
to homeland security, for example, has spurred significant
growth.
Organizations, whether public or private, large or small,
4 According to Daon. Biometric Identity Management in Large-
Scale Enterprises. Used with permission.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 1 7
Figure 1-1 A complete identity management system.
are looking to increase the levels of accountability and
security among employees, partners, and customers.
The most effective way to do this is to centralize identity
management functions in a single location—moving
away from identity stovepipes—so it can be effectively
managed and the appropriate level of trust can be maintained
in the authentication process.
Biometrics provide one of the most secure and effective
ways to authenticate an individual, whether through the
biometric itself or in conjunction with a PIN, password,
Version 2 – Summer 2008

Section 1 8 Introduction
or other token. Designed properly, biometric identity
management addresses the proper management of biometric
identities, particularly for large-scale enrollment
(database) populations.
Biometric system deployment encompasses several functions,
5 including identity registration, storage, assurance,
protection, issuance, life cycle management, and system
management, which all must be taken into account and
integrated for the best results (see preceding graphic).
Biometric algorithms (software) have reached the levels
of accuracy required for broad-scale use and the costper-user
has declined significantly in recent years, yielding
a form of authentication that is more cost effective
and secure than traditional means. Organizations looking
to deploy a biometric-based solution should consider
the full spectrum of such use and adopt an integrated
design that enables a multi-factor approach (and multimodal
6 where appropriate), flexible authentication and
authorization policies while maintaining (or enhancing)
individual privacy, and is provided on a scalable, accessible,
and secure infrastructure.
5 According to Daon. Biometric Identity Management in Large-
Scale Enterprises. Used with permission.
6 Mulit-modal is the use of multiple biometrics in a single application,
such as the new U.S. passports that will include both
facial and fingerprint biometrics.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 1 9
NOTE: The terms “reference” and “template” may be
used interchangeably throughout the BTAM. However,
“template” refers specifically to the code that contains the
characteristic feature or sample; “reference” is a broader
term that describes any data used in the matching process.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 2 1
Section 2: Fundamentals of Biometrics
The Origin of Biometrics 7
The term “biometrics” is derived from the Greek words
bio (life) and metric or metry (to measure). Interestingly,
the term “biometrics” was not used to describe these
technologies until the 1980s. The first reference 8 found
for the term “biometrics” was in a 1981 article in The New
York Times.
Centuries before “automated” biometric technologies
became possible with the advent of computers, algorithm
development, and processing power, there were
several types of non-automated biometric methods used.
The first known reference to non-automated biometrics
was in prehistoric picture writing of a hand with ridge
patterns that was discovered in Nova Scotia. Fingerprint
recognition represents the oldest method of biometric
identification, with its history going back as far as
at least 6000 B.C. The first recorded use of fingerprints
was by the ancient Assyrians, Babylonians, Japanese, and
Chinese for the signing of legal documents. In ancient
Babylon, fingerprints were used on clay tablets for business
transactions. A form of fingerprinting was used
in China, as reported by explorer Joao de Barros. He
wrote that Chinese merchants were stamping children’s
7 Biometrics-Now and Then: The Development of Biometrics Over the Last
40 Years. James L. Wayman. Used with permission.
8 According to James L. Wayman in Biometrics-Now and Then: The Development
of Biometrics Over the Last 40 Years. New York Times article:
“Technology; Recognizing the Real You” A. Pollack. September 24, 1981.
Used with permission.
Version 2 – Summer 2008

Section 2 2 Fundamentals of Biometrics
Figure 2-1 Chart demonstrating
“Bertillonage” measurements.
9
palmprints and footprints on paper
with ink to distinguish the children
from each other.
The first modern study of fingerprints
was done by Johannes Evangelista
Purkinje, a Czech physiologist
and professor of anatomy at
the University of Breslau. In 1823,
he proposed a system of fingerprint
classification.
The English began using palm and
fingerprints in India in July 1858,
when Sir William Herschel pressed
handprints on the backs of contracts.
Herschel moved from palmprints
to prints of the right index
and middle fingers.
In the 1890s, an anthropologist and police desk clerk in
Paris, France, named Alphonse Bertillon sought to fix the
problem of identifying repeat offenders who often gave
aliases each time they were arrested. Bertillon realized
that certain elements of the body remained stable and
unchanging, such as the size of the skull or the length
of the fingers. He developed a method of multiple body
measurements that was named after him and called
Bertillonage. His system was used by police around the
world but quickly faded when it was discovered that
some people shared the same measurements in certain
parts of their bodies.
9 Source unknown.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 2 3
In the late 19th century, Sir Francis Galton wrote a detailed
study of fingerprints in which he presented a new
classification system using prints of all 10 fingers. According
to Galton’s calculations, the odds of two individual
fingerprints being the same were 1 in 64 billion.
Galton identified the characteristics by which fingerprints
can be identified (minutia), which are basically
the same ones still in use today. This classification of
minutia is often referred to as Galton’s Details.
Also, during the 1890s, the police in Bengal, India, under
the British police officer Sir Edward Richard Henry, began
using fingerprints to identify criminals. As assistant commissioner
of metropolitan police, Henry established the
first British fingerprint files in London in 1901. The Henry
Classification System is used today in all English speaking
countries.
In 1903, the New York State Prison System began the first
systematic use of fingerprints in the United States for
criminals.
In 1904, the use of fingerprints began in Leavenworth
Federal Penitentiary in Kansas and at the St. Louis [Missouri]
Police Department.
In 1905, the U.S. Army began using fingerprints. Two
years later, the U.S. Navy began using fingerprints and
was joined the following year by the Marine Corps. During
the next 25 years, increasing numbers of law enforcement
agencies joined in the use of fingerprints as a
means of personal identification.
Some of the earliest work on machine recognition of faces
can be traced back to the 1960s at a company called
Panoramic Research in Palo Alto, California. This type of
Version 2 – Summer 2008

Section 2 4 Fundamentals of Biometrics
research, later referred to as artificial intelligence, was
conducted by Woody Bledsoe, a pioneer in the field of
automated reasoning. The technique he developed was
called “man-machine facial recognition” and used a process
known as feature extraction.
Nineteen seventy-four was a breakthrough year for
automated biometrics, as the University of Georgia
began using hand geometry in its dormitory food service
areas. Both the Stanford Research Institute in the United
States and the National Physical Laboratory in the United
Kingdom had begun working on signature recognition
systems.
In 1985, one of the first retinal scanning systems was
deployed for securing access to a Defense Department
facility at the Naval Postgraduate School.
In the mid-1980s, the State of California began collecting
fingerprints as a requirement for all driver license applications.
The first biometric industry organization, the International
Biometrics Association (IBA), was founded in
1986–1987.
Iris recognition technology was developed in the 1980s
by Dr. John Daugman at the University of Cambridge.
Other new technologies produced during this time included
facial thermography and the first commercially
available facial recognition systems.
In 1998, the International Biometric Industry Association
(IBIA) was founded in Washington, DC, as a non-profit industry
trade association to advance the collective international
interests of the biometric industry. The National
Version 2 – Summer 2008

Biometric Technology Application Manual Section 2 5
Biometric Security Project (NBSP) was founded in 2001
to respond to the events of September 11, 2001, and the
need for accelerated development and deployment of
biometrics technologies.
How Biometric Technologies Work—
In General
At their most basic level, biometric technologies are
pattern recognition systems that use either image-
acquisition devices, such as scanners or cameras in the
case of fingerprint or iris recognition technologies, or
sound or movement acquisition devices, such as microphones
or platens in the case of voice recognition or signature
recognition technologies, to collect the biometric
patterns or characteristics. The characteristics of the ac-
Figure 2-2 Generic Biometric Process
Version 2 – Summer 2008

Section 2 6 Fundamentals of Biometrics
Figure 2-3 Diagram of a “generic” biometric-based system. 10
quired samples considered the most distinctive between
users and the most stable for each user are extracted and
encoded into a biometric reference or template that is
a mathematical representation of a person’s biometric
feature. These templates are stored in a database or on
a smart card or other token and used for comparison
when recognition is warranted. Biometric systems are
automated by hardware and software, allowing for fast,
real-time decision making in identification situations.
Different biometric technologies offer varying features
and benefits, which should be analyzed based on how
and why they will be used. They all vary in performance,
capabilities, infrastructure requirements, and cost, and
all have their unique limitations and operating methodologies.
10 Provided courtesy of SAFLink Corporation. Used with per-
mission.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 2 7
While individual biometric devices and systems each
have their own operating methodology, there are some
generalizations that can be made as to what typically
happens within a biometric system implementation.
Before an individual’s identity can be verified via a biometric,
a biometric template or model must first be created.
This template serves as the template data against
which subsequent samples/templates provided at time
of verification are compared. For some technologies, a
number of templates or images are typically captured
during enrollment in order to create a truly representative
template via an averaging or best image candidate
selection process. The template is then referenced
against an identifier (typically a PIN or passcode if used in
conjunction with existing access control tokens) in order
to recall it for comparison with a live sample at the transaction
or entry point.
The positive ID verification/identification of the subject
during the enrollment procedure and quality of the resultant
template or reference are critical factors in the overall
success of a biometric application. The former refers
to the corroborating identity documents (commonly referred
to as “breeder documents”) the user brings to the
initial enrollment process. These documents, or other
sources of validation, must undergo the highest scrutiny,
lest the biometric be associated with a false identity.
A poor quality template or reference can cause considerable
problems for the user, often resulting in re-enrollment.
Template storage is an area of considerable and
growing concern, particularly with large-scale applications
that may accommodate hundreds-of-thousands of
individuals. The resources to assure the security, quality,
Version 2 – Summer 2008

Section 2 8 Fundamentals of Biometrics
maintenance, and management of the data can be formidable
and the liability, should the security of the templates
be breached, considerable.
Possible template storage options include:
1.
2.
3.
Store the template within the biometric reader device
or PC.
Store the template remotely in a central repository.
Store the template on a portable token or media,
such as a smart card.
Option 1: Storing the template within the biometric reader
device or PC has both advantages and disadvantages,
depending on exactly how it is implemented. The advantage
is potentially fast operation as a relatively small
number of templates may be stored and manipulated efficiently
within the device or PC. In addition, there is no
reliance on an external process or data link to access to
the template. In the event of device failure, an alternative
device or access point may be substituted as a temporary
measure. In some cases where devices may be
networked together directly, it is possible to share templates
across the network.
The potential disadvantage is that templates may be
somewhat vulnerable and dependent upon the device
being both present and functioning correctly. If anything
happens to the device, the template database may
need to be re-installed or the user re-enrolled. For templates
stored on a hard drive of a personal computer,
damage to the disk drive or corrupted data may require
re-enrollment of the user.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 2 9
Option 2: Storing the template in a central repository is
the option that will most likely occur to IT systems administrators.
This may work well in a secure networked
environment where there is sufficient operational speed
for template retrieval to be invisible to the user. Use of
a central data repository also allows more effective use
through network-wide enrollment and disenrollment.
While very large central databases raise other concerns
discussed elsewhere in this manual, they might be the
only efficient way to manage a large identity management
system. Care should be taken in system design to
ensure the templates are protected when in transit over
the network through encryption.
Potential disadvantages could be that with a large number
of readers working simultaneously, there could be
significant data traffic, especially if users are impatient
and submit multiple verification/identification attempts.
The size of the biometric template itself will have some
impact on this issue, with popular methodologies varying
between nine bytes and 6Kb. Another aspect to consider
is if the network fails, when the system effectively stops
unless there is reliable network backup or some type of
additional local/remote storage. This may be possible to
implement with some devices using the internal storage
on a device or PC for recent cached or localized users and
instructing the system to search the central repository if
the template cannot be found locally.
Option 3: Storing the template on a token is an attractive
option for two reasons. First, it requires no local or central
storage of templates and, second, the user carries his/
her template with him/her and can use it at any authorized
reader device. The template could be stored in the
memory of the card or token device or even printed on a
card or document in barcode format.
Version 2 – Summer 2008

Section 2 10 Fundamentals of Biometrics
Potential disadvantages include the potential loss or
damage of the token and the resulting need to re-enroll
the user. Additionally, if the user is attracted to the system
because he/she believes or was advised that he has
effective control and ownership of his own template,
there may be objections to also storing the templates
elsewhere in the system. Another potential disadvantage
may be unit cost and system complexity if chip
card/smart card readers and biometric readers need to
be combined at each enrollment and verification station.
Finally, if the chip’s operating system and data are successfully
hacked, this option could be vulnerable from a
security standpoint.
Overview of Applications
Each biometric technology has its set of strengths and
weaknesses, depending upon its application. It is therefore
imperative that there is a clear understanding of the
final application(s) and their operational requirements
before any purchase and implementation decisions are
made. Although the use of each biometric is clearly different,
some striking similarities can emerge when considering
various applications. Most biometric applications
can be divided into the following categories: 11
• Overt or covert systems—Will
the user proactively
and knowingly be identified by the system or will it
be designed to covertly scan the secured area? Either
way, a person must have a biometric template
on file for him/her to be recognized.
11 Adapted from Fundamentals of Biometric Authentication Technologies.
James L. Wayman National Biometric Test Center. Used with permission.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 2 11
• Voluntary or involuntary systems—Will
system users
be required to participate in the system to receive access
or benefits, or are there opt-out or work-around
options?
• Attended or non-attended systems—Will
the system be
designed for people to use in a remote location, without
assistance? Or will users always have technical
assistance and/or attendants available? Involuntary
and/or covert systems usually require supervision or
attendance to monitor system use. Voluntary and/or
overt systems may be “unattended.”
• Standard or non-standard operating environments—
How much customization will be required for the
readers to operate appropriately and the network to
communicate and function properly? Will the system
be used outdoors or indoors? Outdoors environments
typically fall into “non-standard” operating
environments.
• Public or private systems—Is
the use of the biometric
system for a public program or access to a public
facility, or for access to a private company or information?
Cooperation with the biometric system can
often be directly attributed to whether a system is
public or private (i.e., employees).
• Physical security and access control—Are
users trying
to gain access to a facility or area?
Cyber and computer/network security
• —Are users trying
to gain access to a computer or protected information
on a computer or the Internet?
Version 2 – Summer 2008

Section 2 12 Fundamentals of Biometrics
• Identification—Is
the biometric being used for identification
purposes for access to benefits, information,
border crossing, licensing, etc.?
Biometric applications can operate in either of two
modes—verification or identification. Verification is the
process of comparing a presented biometric template
with stored biometric reference(s) that are associated
only with that specific user. Verification applications are
often referred to as one-to-one matching (or 1:1). During
the verification process, a user will typically enter
their name, unique ID number or present a token or ID
card. This becomes their “claim” of identity. Then the user
must authenticate or verify against their claim of identity
by presenting their biometric sample and having the resulting
template matched against the reference(s) associated
with that user’s enrollment record. In verification
applications, the user is attempting to prove that they
are the person that they claim to be. Verification is commonly
used in access control applications where a person
has already been granted privileges or access rights
and the system needs to verify that the person seeking
access under that name or identity is, in fact, that person.
In identification applications, the system is attempting to
determine if the person is known to the system (with or
without a claimed identity) by comparing the presented
biometric sample and resultant template with all known
references in the database. Identification is also referred
to as one-to-many matching (or 1:N). Identification applications
are typically used for law enforcement investigations
or to screen applicants for entitlement benefits
to make sure that the person is not already enrolled in
the system and receiving benefits under another name
Version 2 – Summer 2008

Biometric Technology Application Manual Section 2 13
or identity. Identification is often performed during or
immediately following the initial enrollment of the person
and may not provide an immediate result depending
on the matching speed of the technology and the number
of records being matched.
Errors and Error Rates
No biometric system can recognize a person absolutely.
While it appears to give a simple yes or no answer, it
is, in fact, measuring how similar the current biometric
data is to the record stored in the database and makes a
decision according to the probability that the biometric
sample comes from the same person that provided the
stored biometric template. While there are several types
of errors that occur in biometric systems, there are two
major classes of errors that relate to the system’s accuracy;
comparison errors and decision errors.
The errors discussed below have error “rates” associated
with them. Thus, a False Match has a False Match Rate
(FMR) associated with it, a False Non-Match a False Non-
Match Rate (FNMR) and so on. These rates are established
by extensive testing, and are nothing more than
how often these errors have been shown to occur during
testing. Expressed mathematically, a rate is the expected
probability that this error will occur in this biometric system.
These rates provide quantifiable metrics that allow
one to compare the effectiveness of various technologies
and the various products therein.
Comparison errors are erroneous matches or nonmatches
that could be considered “machine functions,”
or more semantically correct, machine malfunctions.
Version 2 – Summer 2008

Section 2 14 Fundamentals of Biometrics
A false match is an erroneous conclusion by the biometric
system that a template stored in its database is from the
same person that has just presented a biometric sample,
when in fact, it is not.
A false non-match is an erroneous conclusion by the biometric
system that a template stored in its database is
not from the same person that has just presented a biometric
sample, when in fact, it is.
Decision errors are erroneous conclusions arising from
comparison errors. The definitions of decision errors depend
upon the application (the premise by which a subject
uses the system).
A false accept in an application such as access control,
where the subject makes a “positive” claim of enrollment
(“I am enrolled as Pat”) is an erroneous conclusion by the
biometric system that a template stored in its database
is from the same person that has just presented a biometric
sample, when in fact, it is not. A false accept rate
(FAR), is the expected probability that this will occur in
this particular biometric system, in this application. In
a positive identification application, false accept is the
same as false match.
A false reject in a positive identification application such
as access control is an erroneous conclusion by the biometric
system that a template stored in its database is
not from the same person that has just presented a biometric
sample, when in fact, it is. A false reject rate (FRR),
is the expected probability that this will occur in this particular
biometric system, in this application. In a positive
identification application, false reject is the same as false
non-match.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 2 15
A false accept in a negative identification application
where a “negative” claim of enrollment (such as watch
lists, or benefits entitlements, where a person claims “I
am not enrolled in the system”) is an erroneous conclusion
by the biometric system that no template stored in
its database is from the same person that has just presented
a biometric sample, when in fact, one is. A false
accept rate (FAR) is the expected probability that this will
occur in this particular biometric system, in this application.
In a Negative identification application, false accept
is the same as a false non-match, although the rates may
be different depending upon the number of comparison
attempts made in reaching the “accept” decision.
A false reject in a negative identification application
(such as watch lists, or benefits entitlements) is an erroneous
conclusion by the biometric system that a template
stored in its database is from the same person
that has just presented a biometric sample, when in
fact, it is not. A false reject rate (FRR), is the expected
probability that this will occur in this particular biometric
system, in this application. In a negative identification
application, false reject is the same as false match,
although their rates may be different depending upon
the number of comparisons required to make a “reject”
decision.
This somewhat confusing distinction is the result of
new, non-traditional applications that have been developed
for biometric systems. Historically, FAR and FRR
have been used synonymously with FMR and FNMR
respectively. However, with the emergence of negative
identification systems, usually 1:N identification systems,
they are no longer synonymous.
Version 2 – Summer 2008

Section 2 16 Fundamentals of Biometrics
In traditional access control applications (positive ID systems),
the premise of the user was always “I am in the system
and entitled to enter.” A false acceptance occurred
when the subject was an impostor and not entitled to
entry, but as the result of a false match, he was allowed
entry. Likewise, subjects who were legitimately enrolled
in the systems became victims of a false rejection when
there was a false non-match.
In today’s negative identification systems such as watch
lists, correctional facilities, and detection of double dippers
in benefits entitlement programs, the premise of
the user is “I’m not in the system and never have been.”
In these applications, a false accept occurs when the system
commits a false non-match error, and a false reject
occurs when the system commits a false match error.
Failure to Acquire
Further adding to the confusion of terms is the condition
of “failure to acquire,” which may be construed as a
false reject. This condition may occur when the reader
or imager fails to capture an image of sufficient quality
to produce a usable template. If the device or system is
not capable (and most are not) of detecting the difference
or reason for the rejection (no match or poor quality),
the conclusion may be incorrect.
Further into the manual, an attempt will be made to sort
out a more useful way to consider these terms and rates,
particularly in assessing test results.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 2 17
Personal Biometric Criteria
Any human biological or behavioral characteristics can
become a biometric identifier, provided the following
properties 12 are met:
• Universality:
Every person should have the characteristic.
There are always exceptions to this rule:
mute people, people without fingers, or those with
injured eyes. These exceptions must be taken into account
through “work-arounds” such as conventional
non-biometric authentication processes. Most biometric
devices have a secure override if a physical
property is not available, such as a finger, hand, or
eye. In these cases, the person is assigned a special
access device, such as a password, PIN, or secure token.
This special access code or token is entered into
the biometric device to allow access.
• Distinctiveness:
No two people should have identical
biometric characteristics. Monozygotic13 twins, for
example, cannot be easily distinguished by face recognition
and DNA-analysis systems, although they
can be distinguished by fingerprints or iris patterns.
• Permanence:
The characteristics should not vary or
change with time. A person’s face changes significantly
with aging and a person’s signature and its
dynamics may change as well, sometimes requiring
periodic re-enrollment. The degree of permanence
12 Adapted from An Introduction to Biometric Recognition. Jain, Ross,
and Prabhakar. IEEE Transactions on Circuits and Systems for Video
Technology. ® January 2004 IEEE. Used with permission.
13 A type of twins derived from a single (mono) egg (zygote).
Version 2 – Summer 2008

Section 2 18 Fundamentals of Biometrics
of the biometric feature has a major impact on system
design.
• Collectability:
Obtaining and measuring the biometric
feature(s) should be easy, non-intrusive, reliable,
and robust, as well as cost effective for the application.
Biometric System-Level Criteria
The preceding personal biometric criteria may be used
for evaluating the general viability of the chosen biometric
identifier. Once incorporated into a system design,
the following criteria 14 are key to assessing a given
biometric system for a specific application:
• Performance refers to the accuracy, resources, and
environmental conditions required to achieve the
desired results.
• Circumvention refers to how difficult it is to fool the
system by fraudulent means. An automated access
control system that can be easily fooled with a fingerprint
prosthetic or a photograph of a user’s face
does not provide much security—particularly in an
unattended environment.
• Acceptability indicates to what extent people are willing
to accept the biometric system. Face recognition
systems are personally not intrusive, but there are
countries where taking photos or images of people
14 An Introduction to Biometric Recognition. Jain, Ross, and Prabhakar.
IEEE Transactions on Circuits and Systems for Video Technology. ® January
2004 IEEE. Used with permission.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 2 19
are not viable. Systems that are uncomfortable to the
user, appear threatening, require contact that raises
hygenic issues, or are basically non-intuitive in practical
use will probably not find wide acceptance.
Key Elements of Biometric Systems 15
There are four universal elements to all biometric systems:
1.
2.
3.
4.
Enrollment
Biometric Template (or Reference)
Comparison and Comparison Errors
Networking
Typically, biometric systems or devices have three primary
components:
1.
2.
3.
Automated mechanism that scans or photographs
(video or still) and captures a digital or analog image
of a living biometric characteristic.
Another mechanism that handles compression, storage,
processing, and comparison of the captured data
with the stored data (enrollment template).
Interface with the application system.
15 Adapted from Biometrics: A Technical Primer. Elaine Newton and John
Woodward. Army Biometric Applications: Identifying and Addressing Sociocultural
Concerns. 2001. www.rand.org Santa Monica, CA: RAND
Corporation. Used with permission.
Version 2 – Summer 2008

Section 2 20 Fundamentals of Biometrics
Key issues and considerations surrounding the four universal
elements of all biometric-based systems can be
described as follows.
1. Enrollment
Proper enrollment instruction and training are essential
to good biometric system performance. Enrollment
is the first stage for biometric system set-up because it
generates the template that will be used for all subsequent
comparison and user recognition. In enrollment, a
biometric system is “trained” to recognize a specific person.
Typically, the reader takes multiple samples of the
same biometric that is presented by the user/enrollee
and averages them or selects the best quality sample to
produce an enrollment reference or template.
Not all biometric systems require the linkage of users
to “real world” identities. In fact, a number of companies
have actively promoted the use of “anonymous”
biometrics, linking users only to the biometric template,
without any record of “real” name or other identifier. In
most applications, however, there is a need to link users
to their legal identities for the purposes of accountability
and certification of external authorizations. In these
cases, the user/enrollee first provides his/her identification
document, such as a government-issued ID card,
passport, or driver license. Since the biometric template
is linked in many biometric systems to the identity specified
on the identification document, this identification
must be thoroughly authenticated (refer to the discussion
of “breeder documents” that follows). He/she then
presents his/her biometric (i.e., fingerprint, voice pattern,
iris pattern, signature, etc.) to the biometric reader. The
features of the presented biometric are read, calculated,
Version 2 – Summer 2008

Biometric Technology Application Manual Section 2 21
coded, and stored as the enrollment template for future
comparisons.
Biometric template size varies, depending on the vendor
and the type of biometric technology. (See Comparison
of Biometric Technologies – Matrix I in Section 3 for template
sizes of various technologies.) Templates can either
be stored in a central database, or within a biometric
reader, or on smart cards or other tokens.
For some biometric technologies, changes in the user’s
position or variations in the lighting surrounding the
reader, for example, can affect template generation. Ideally,
when the biometric system is deployed, enrollments
and daily usage will be done in the same environment,
using the same equipment. For example, if voice verification
is used in an environment where there is background
noise, both the enrollment voice template and
live voice templates [presented for recognition] should
be captured in the same environment. It is important to
remember that the quality of the initial enrollment template
and the absolute validity of the initial ID document
that is used to “verify” a person’s identity prior to biometric
enrollment are critical to the overall success of the biometric-based
system that requires linking of users to “real
world” identities and authorizations.
Pre-Enrollment Identity Validation
Not unlike the old cliché regarding computers, “garbage-
in-garbage out,” the legitimacy of the identity attached
to a new biometric template at the time of enrollment
in the system may be a significant weakness in the entire
process. If the basis of the individuals claim to an
identity presented at enrollment is not valid, we are ef-
Version 2 – Summer 2008

Section 2 22 Fundamentals of Biometrics
fectively granting the individual a new identity initiated
with the enrollment event. To minimize the potential for
fraudulent enrollment, a pre-enrollment validation, or
identity “proofing,” process that relies on identity source
documents (or “breeder documents”), validated templates,
personal history data mining, and background
investigations, can, in various combinations, be very
helpful. This process may be costly and time-consuming.
To the degree it can be automated without sacrificing
integrity, it should be considered a critical part of the
biometric deployment plan. It should be emphasized,
however, that not all biometric systems require any
linkage to “real” identities and that such linkage should
not be made unless required. Some of the largest biometric
systems now in use, such as that for access control
at Walt Disney World in Orlando, Florida, require
no linkage to “real” identity and consequently no pre-
enrollment identity validation.
Breeder Documents (Identity Source Documents)
Documents that are useful in providing some basis for
claims to identity for biometric enrollment are sometimes
referred to as identity source documents (also “breeder”
or “foundation” documents) and include; passports; birth
certificates; driver licenses; social security cards; government
or private sector organizational identity cards; program
eligibility identity cards; etc. Documents that contain
both a photograph and personal identity data are
more useful, as are documents that can be used to access
a database for source authentication (for example, a
state database of vital statistics or drivers license). Documents
that are designed to deter counterfeiting are also
preferable to those that can be more easily duplicated.
In some societies, the availability or use of “breeder” doc-
Version 2 – Summer 2008

Biometric Technology Application Manual Section 2 23
uments is limited, or a more recent enterprise.
Data Mining, References, and Background
Investigations
While general Internet searches to access information related
to individuals raises the specter of privacy invasion,
a focused and limited use to validate an identity claim for
biometric enrollment can be useful and non-invasive. An
individual seeking enrollment should be advised that a
reasonable attempt to verify data they provide to support
their identity claim may be made by various means,
including search of data on the Internet. Direct contact
with references and inquiries to validate historical and biographical
information supplied by the candidate for enrollment
should all be included in the basis for “informed
consent” requested of the individual. Careful consideration
must be given, however, to whether linkage of the
records in the biometric system to external “legal” records
is really required and, if so, to what purpose and extent.
All of the common methods briefly described herein to
validate identity prior to enrollment are, of course, more
practical in societies and national entities where documentation
of individual identity and maintenance of statistics
from birth and throughout life are available. Where
this is not the case, the requirement is considerably more
difficult. Any reasonable means that do exist (for instance,
religious, educational, or health records) should be used
as alternatives to routine identification documents. In
such cases, a more detailed background file on initial enrollment
should also be constructed to document the
limited nature of pre-enrollment validation while beginning
the process of establishing a strong identity record
for the future.
Version 2 – Summer 2008

Section 2 24 Fundamentals of Biometrics
While the extent to which this process is developed and
pursued should, at least partially, be matched to the level
of importance, eligibility, or access that will be gained by
enrollment, administrators and managers should consider
the broader implications of biometric enrollment
that also justify such procedures.
At least a part of the terminology “breeder” document reflects
the tendency to accept a past assignment of identity
as the basis for validating a new claim. This is as true
for prior biometric enrollments as it is for identification
documents. Therefore, enrollment in a biometric system
with little or no pre-validation actions could be the beginning
(or breeding) of a repetitive process for establishing
new, but false, identities. Some might argue that
the ability of certain biometric technologies to generally
operate in the 1:N (one to many) technique will mitigate
against this threat because the “new” identity gained by
the imposter will be attached to them forever. While aspects
of this argument are valid, it is still true that most
biometrics function in the verification (one to one) mode
and we can expect that to be true for the foreseeable future.
There should also be no concession to a free pass
on a fraudulent attempt to change identity, even if it will
only happen once.
A complete biometric system or sub-system should include
a justification for the need to link to external identities,
and if that justification proves adequate, incorporate
a process or procedure for pre-validation of claimed
identity before the candidate for enrollment is accepted.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 2 25
2. Biometric Reference (or Template)
The data that is captured during enrollment is stored in
the biometric system as a template or reference. The biometric
system software will use a proprietary algorithm
to extract features that are appropriate to that biometric
as presented by the user, or enrollee. It is important to
note that biometric templates are only a record of distinguishing
features of a person’s biometric characteristic
or trait. Templates are usually not actual images of
the fingerprint, iris, or hand, etc. Biometric templates are
generally only numerical (mathematical or algorithmic)
representations of key data points (or minutia) read in a
person’s biometric feature.
Typically, templates are relatively small in
terms of data-storage size 16 when compared
with the original image or source pattern
data and, therefore, allow for more efficient
storage and quick processing. Each must be
stored, whether in a central database or on a
smart card or other token, so when the user attempts
to access the system, the characteristics
derived from the live biometric can be directly
compared to the enrolled template. Biometric
experts claim that it is virtually impossible to
reverse-engineer or recreate exactly a person’s
original biometric image, such as a fingerprint
16 In terms of the amount of computer memory needed to store and
process the reference.
17 Graphic from Fingerprint Matching Using Minutiae and texture
Features. Proceedings of the International Conference on Image
Processing (ICIP), Greece. Anil Jain, Arun Ross, Salil Prabhakar. October
2001.
Version 2 – Summer 2008
Figure 2-4 Minutia-basedfingerprint
image
with detected
minutia points
marked. 17

Section 2 26 Fundamentals of Biometrics
or iris image, from a biometric template, although it is
quite possible in some types of biometrics to reverse-engineer
an artificial image capable of generating the same
template.
3. Comparison and Comparison Errors
Comparison is the act of comparing one (or more) acquired
biometric sample to one (or more) stored biometric
templates to determine whether they “match,” that is,
come from the same source. In essence, there are three
ways a mistake can be made:
1.
2.
3.
Failure to enroll and failure to acquire
False acceptance (FAR)
False rejection (FRR)
Both failure to enroll and failure to acquire (during the
comparison process) mean the system is unable to “extract”
and distinguish the appropriate features of the
user’s biometric. For example, a small percentage of
the population cannot enroll a fingerprint, either because
their fingerprints are not distinctive enough or
the characteristics have been altered due to age or occupation.
Failure to enroll and/or failure to acquire indicate
this person’s biometric characteristics may not be
of sufficient quality to be used for recognition.
In access control systems, a false acceptance occurs
when a sample is incorrectly matched to a different user’s
template in a database (in the case of an access control
system, an impostor is allowed in the building). A
false rejection occurs when a sample is incorrectly not
Version 2 – Summer 2008

Biometric Technology Application Manual Section 2 27
matched to an otherwise correct matching template in
the database (in the case of an access control system, a
legitimate enrollee is falsely rejected).
In most biometric systems, the false acceptance and false
rejection thresholds can be adjusted, depending upon
the level of security required. For example, in a high security
access control application, the system can be adjusted
to err on the side of denying legitimate matches and
not tolerating impostors. Alternatively, a convenience-
focused application could be adjusted to offer little or no
denial of legitimate matches, while allowing some minimal
acceptance of impostors.
No biometric decision is 100 percent perfect in either verification
or identification mode because each time a biometric
is captured the extracted characteristics are likely
to be a little different due to changes in the environment,
lighting, user positioning, etc. Therefore, biometric systems
can be configured to make a match or no-match
decision based on a predefined mathematical measure
of similarity or difference, referred to as a threshold. This
threshold establishes the acceptable degree of similarity
between the presented sample and the template/enrollment
reference.
Upon comparison, a score representing the degree of
similarity (or difference, depending upon the system)
between the sample and template is calculated, and this
score is compared to the threshold to make a match or
no-match decision. For algorithms for which the similarity
between the two is calculated, a score exceeding the
threshold is not considered a match. For algorithms for
which the difference between the two is calculated, a score
below the threshold is considered a match. Depending
on the setting of the threshold in identification systems,
Version 2 – Summer 2008

Section 2 28 Fundamentals of Biometrics
Figure 2-5 Example of decision threshold for an iris recognition
system. 18
sometimes several enrollment templates can be considered
matches to the live, presented sample, with better
scores corresponding to better matches.
4. Networking
There are possible variations on a theme with regard to
networks. Some biometric systems/readers have integral
networking functionality, often via RS485 or RS422,
with a proprietary protocol. This may enable networking
a number of readers together with little or no additional
equipment involved, or maybe with a monitoring PC
connected at one end of the network.
18 Source: NBSP files.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 2 29
Alternatively, the networking, message passing, and
monitoring system may be designed by the system integrator,
taking advantage of generic biometric Application
Program Interfaces 19 (APIs) for accessing reader
functions directly. This allows the most flexibility and
control over systems design, provided that the selected
biometric reader and underlying device drivers and control
software support network applications. Still, another
option may be to use the vendor’s network for message
passing and primary interconnection, coupled with custom
software at the monitoring point, which may in turn
interface with other systems.
In some cases, there might be an existing network and
control interface into which the biometric readers could
be integrated via a common security standard. In some
cases, there may be an existing network and control interface
into which the biometric readers may be integrated
via interface standards such as BioAPI (Biometric Application
Programming Interface) and CBEFF (Common
Biometric Exchange Formats Framework). In this case
they will appear as just another reader, although separate
template storage and access may need to be provided.
Biometric Performance Metrics
Biometric Performance Measures—What Do They
Really Mean?
False accepts, false rejects, equal error points and crossover
rates, enrollment and verification times; these are
19 Application program interface: a set of routines, protocols, and tools
for building software applications.
Version 2 – Summer 2008

Section 2 30 Fundamentals of Biometrics
Figure 2-6 Graphs showing intersection between
FAR and FRR for verification. 20
typical performance measures quoted by biometric
technology vendors.
False accept rates (FAR) indicate the likelihood that a
“zero effort” impostor may be falsely accepted by the system.
False reject rates (FRR) indicate the likelihood that
the genuine user may be rejected by the system. These
decision errors can often be manipulated by the setting
of a threshold that will bias the device toward one form
of error or another. Thus, an integrator or system administrator
can bias the device towards a larger probability
of false accepts but a smaller probability of false rejects
(user friendly), or, vice versa, towards a larger number of
false rejects and a smaller number of false accepts (user
unfriendly). The two parameters, however, are typically
mutually exclusive.
20 Facial Recognition Biometrics: Applying New Concepts on Performance
Improvement and Quality Assessment. Babak Goudarzi Pour and Marcus
Zackrisson. Page 34. May 2003.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 2 31
Between the two extremes of FAR and FRR lies the equal
error point or cross-over rate where the two values are
equal, and which represents a simpler, but perhaps less
useful, measure of performance than simply FAR or FRR
rates alone. These measures are expressed in percentage
(of error transactions) terms, with an equal error rate of
somewhere between 0.1 percent and 10 percent being
typical performance in real applications.
It is important to remember that the quoted performance
figures for a given system may not be realized in practice
for a number of reasons. Including:
•
•
•
•
•
•
•
•
User training
User discipline
User familiarity with the device
User stress
Individual device condition
User interface design
Speed of device response
External environment; environmental conditions
Vendor quoted statistics may be based upon limited tests
conducted by the vendor under controlled laboratory
conditions, supplemented by mathematical theory. They
should only be viewed as a rough guide and not relied
upon for actual system performance expectations. This
is not because biometrics vendors are trying to mislead,
but because it is almost impossible to provide an accu-
Version 2 – Summer 2008

Section 2 32 Fundamentals of Biometrics
rate and repeatable indication of how a device will perform
in a limitless variety of real-world conditions.
Similarly, actual enrollment times will depend upon a
number of variables inherent in the enrollment procedure.
Some questions to consider include:
•
•
•
•
•
•
•
Are the users pre-educated as to system requirements
and use?
Have they used the device before?
What information is being provided to users about
the quality of their submitted biometric samples?
Is custom software being used?
Is the enrolling administrator adequately trained?
How many enrollment points will be operated?
What other processes are involved?
Individual biometric vendors or integrators cannot possibly
understand or know these variables for every system
and, as such, quoted figures will be based upon their
own in-house experiences under controlled conditions,
usually with trained and cooperative users.
Verification time is also often misunderstood as vendors
will typically describe the average time taken for the
actual verification process, which does not typically include
the time taken to present the live sample or undertake
other processes such as presentation of the token
or keying of a personal identification number (PIN).
Consider also the average time for user error and system
Version 2 – Summer 2008

Biometric Technology Application Manual Section 2 33
response, and it is apparent that the end-to-end verification
transaction time may often be different from the
quoted figure.
Given these examples, it is no surprise that biometric device
performance measures have sometimes become a
contentious issue when implementing systems under actual
operating conditions.
Template Storage Considerations
Template management is directly linked to privacy, security,
and convenience. All biometric systems face a common
issue—biometric templates must be stored somewhere.
Templates must be protected to prevent identity
theft and to protect the privacy of users.
Possible locations for biometric template storage include:
•
•
•
•
•
•
•
•
The biometric device or reader
A personal computer disk drive
A central computer database that is accessed remotely
(i.e., database)
A card or token with a bar code or magnetic stripe
RFID cards and tags
Optical memory cards
Smart cards
A USB interface device
Version 2 – Summer 2008

Section 2 34 Fundamentals of Biometrics
Biometric databases and the issues surrounding them typically
come into play with identification, or one-to-many comparison,
systems where biometric templates of all users are maintained
and housed. When a user needs access, he/she presents his/her
live biometric to the reader and the system performs a comparison
against all references in the database, concluding either a
match or no-match with corresponding access privileges.
The issues surrounding biometric databases primarily concern
the safeguarding of large and valuable collections of personally
identifying information. If such databases are part of an important
security system, they—and the channels used to share the
personally identifying information—are natural targets for attack,
theft, compromise, and malicious or fraudulent use. Security for
template storage in databases is also affected by the number of
uses for that database: Will it have a unique use or will it be used
for multiple security purposes?
For example, a facility manager might use a fingerprint reader
for physical access control to a building. The manager might
also want to use the same fingerprint template database for
his employees to access their computer network. Should the
manager use separate databases for these different uses, or is
he willing to risk accessing employee fingerprint templates
from remote location for multiple purposes, even if those
templates are not the actual fingerprint images but only derived
characteristics?
These issues also concern the need to maintain reliable, up-todate
information about the enrolled users. Databases that seek
to maintain accurate residence information, for example, must
be updated as soon as one moves. Databases that are used
to establish eligibility for benefits must be updated to exclude
persons who are no longer eligible. The broader the function
of the system, the more often and broader the updating is
required.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 2 35
Biometric technology and system vendors could claim privacy
protection via encryption or hashing 21 the biometric data or designing
the database to enforce a privacy policy. Users, however,
have no way to verify whether such technical protections
are effective or implemented properly. Users should be able to
verify any such claims and to leave the system completely if they
are not satisfied. Exiting the system should, at the very least,
include the deletion of the user’s biometric data and corresponding
records.
Transaction Storage
This is an important area where a secure audit trail may be critical.
Some devices will store a limited number of transactions
internally, scrolling over as new transactions are received. Depending
on the extent of the audit trail and “transaction history”
that is required, it might be beneficial to have each biometric device
connected directly to a local PC that may, in turn, be polled
periodically in order to download transactions to a central point.
A local procedure for dealing with error and exceptional conditions
should be adopted, which will require some type of local
messaging. This may be as simple as a relay closure in the event
of a failed transaction, activating an annunciator of some type.
Transaction Management
How the network handles transactions may be of critical importance
in some applications. For example, if multiple terminals
are distributed within a large facility, each requiring a real-time
21 Hash values are used for accessing data or for security. A hash value
is a number generated from a string of text. Hashing is a common
method of accessing data records, typically using a hash table.
Version 2 – Summer 2008

Section 2 36 Fundamentals of Biometrics
display of information, this will require fast and reliable
messaging transmission. Each terminal user may wish to
“hold” a displayed transaction until a response has been
initiated. This will require a separate local message buffer
and possibly a message prioritization methodology
to ensure that critical messages are dealt with promptly.
Standards
The biometrics industry includes more than 150 22 separate
hardware and software vendors, each with their own
proprietary interfaces, algorithms, performance parameters,
and integration requirements. Standards are emerging
to provide a common application software interface
and template data formats that might more efficiently
allow cross-sharing of biometric templates and permit
effective (apples-to-apples) comparison and evaluation
of various biometric technologies. A more detailed discussion
of Biometric Standards is presented in Section 5:
Biometric Standards.
22 According to A Practical Guide to Biometric Security Technology. Simon
Liu and Mark Silverman. IT Professional. IEEE Computer Society.
® Jan-Feb 2001 IEEE. Used with permission.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 2 37
Terms and Definitions Related to Biometrics
10-Print Card A paper form used to collect both an individual’s
personal and demographic information
along with flat and rolled ink
impression fingerprint images. Mainly
used in conjunction with an Automated
Fingerprint Identification System
(AFIS).
10-Print Match or
Identification
Version 2 – Summer 2008
A positive identification of an individual
by corresponding each of his/her 10
fingerprints to those in a system of record.
Usually performed by an AFIS system
and verified by a human fingerprint
examiner.
Access Control Process of granting (or denying) access.
Acquisition Device The hardware used to acquire biometric
samples or images.
Active Imposter
Acceptance
Acceptance of a biometric sample submitted
by someone actively attempting to
gain illegal entry to a biometric system.
AFIS Automated fingerprint identification
system.
Algorithm A sequence of instructions that tells a
system how to solve a problem. Used
by biometric systems, for example, to
tell whether a sample and a template
are from the same person (a “match”).
Cryptographic algorithms are used to
encrypt sensitive data files, to encrypt
and decrypt messages, and to digitally
sign documents.

Section 2 38 Fundamentals of Biometrics
AND (Anding)/
OR (Oring)
Process
In multi-modal applications, sometimes
used to describe whether two or
more biometrics must all be successfully
matched (Anding) or if any match is successful
(Oring). See also Asynchronous
Multi-Modality.
ANSI American National Standards Institute, a
private, non-profit organization that administers
and coordinates the U.S. voluntary
standardization and conformity
assessment system.
API Application Program Interface. A computer
code that is a set of instructions or
services used to standardize an application.
Any system compatible with the
API can then be added or interchanged
by the application developer.
Application How a biometric is used. For example,
access control, logical access, etc.
Application
Developer
An individual entrusted with developing
and implementing a biometric application.
Application Profile Conforming subsets or combinations of
base standards used to provide specific
functions. Application profiles identify
the use of particular options available in
base standards and provide a basis for interchange
of data between applications
and interoperability of systems.
ASIC Application Specific Integrated Circuit.
An integrated circuit developed for specific
applications to improve performance.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 2 39
Asynchronous
Multi-Modality
Version 2 – Summer 2008
Systems that require a user to verify
himself/herself through more than one
biometric in sequence. Asynchronous
multimodal solutions are comprised of
one, two, or three distinct authentication
processes. A typical user interaction will
consist of verification on finger scan, then
face, if finger is successful.
Attack Any attempt (physical or electronic) to
defeat the biometric system/subsystem
or any of its components.
Attempt The submission of one or more biometric
samples to a biometric system for identification
or verification. A biometric system
may allow more than one attempt to
identify or verify.
Attribute
Authority
An entity, recognized by a Certificate
Management Authority, as having the
authority to verify the association of attributes
to an identity.
Audit Trail In computer/network systems, record of
events (protocols, written documents,
and other evidence) that can be used to
trace the activities and usage of a system.
Such material is crucial when tracking
down successful attacks/attackers, determining
how the attacks happened, and
being able to use this evidence in a court
of law.

Section 2 40 Fundamentals of Biometrics
Authentication The process of establishing the validity
of the user attempting to gain access to a
system. Primary authentication methods
include:
Authentication
Routine
Automated
Fingerprint
Identification
System (AFIS)
Automatic ID /
Auto ID
•
•
•
Access passwords (something you
know)
Access tokens (something you have)
Biometrics (who you are)
A cryptographic process used to validate
a user, card, terminal, or message contents.
Also known as a handshake, the
routine uses important data to create a
code that can be verified in real time or
batch mode.
A specialized biometric system that
compares a single finger image with a
database of fingerprint images. In law
enforcement, AFIS is used to collect
fingerprints from criminal suspects and
crime scenes. In civilian life, fingerprint
scanners are used to identify employees,
protect sensitive data, etc.
An umbrella term for any biometric system
or other security technology that
uses automatic means to check identity.
This applies to both one-to-one verification
and one-to-many identification.
Base Standard Fundamental and generalized procedures.
Provide an infrastructure that can
be used by a variety of applications, each
of which can make its own selection from
the options offered.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 2 41
Behavioral
Biometric
Version 2 – Summer 2008
A biometric that is characterized by a behavioral
trait that is learned and acquired
over time rather than a physiological
characteristic. Examples include speech
and signature.
Bifurcation The point in a fingerprint when a ridge
divides or splits to form two ridges that
continue past the point of division for a
distance that is at least equal to the spacing
between adjacent ridges at the point
of bifurcation.
BioAPI BioAPI v2.0, developed by the Bio-API
Consortium and released in March 2000,
was designed to produce a standard
biometric API aiding developers and
consumers.
Biometric (noun) One of various technologies that utilize
behavioral and biological characteristics
to recognize individuals.
Biometrics (noun) Field relating to biometric recognition.
Biometric
(adjective)
Biometric
Application
Biometric
Application
Programming
Interface (BAPI)
Of or pertaining to technologies that utilize
behavioral and biological characteristics
to recognize individuals.
The specific use to which a biometric
system is put. See also “Application
Developer.”
An API that allows the programmer to
develop applications for a broad range
of virtual biometric devices without
knowing the specific capabilities of the
device. The API is comprised of three
distinct levels of functionality, from high
device abstraction to low (device specific)
abstraction.

Section 2 42 Fundamentals of Biometrics
Biometric Data The extracted information taken from
the biometric sample and used either to
build a template or reference or to compare
against a previously created template
or reference.
Biometric Engine The software element of the biometric
system that processes biometric data during
the stages of enrollment and capture,
extraction, comparison, and matching.
Biometric
Identification
Device or Product
The preferred term is “Biometric System”
or subsystem, but may also refer to
a component of the system or subsystem.
Biometric Sample The identifiable, unprocessed image or
recording of a biological and behavioral
characteristic, acquired during enrollment,
and used to generate biometric
templates or references. Also referred to
as biometric data.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 2 43
Biometric System
or Subsystem
Version 2 – Summer 2008
The integrated biometric hardware and
software used to conduct biometric identification
or verification. It is an automated
system capable of:
•
•
•
•
•
Capturing a biometric sample from
an end-user;
Extracting biometric data from that
sample;
Comparing the biometric data
with that contained in one or more
templates;
Deciding how well they match; and
Indicating whether or not a recognition
of the individual has been
achieved.
The biometric system may be referred to
as a “subsystem” when it is a fully integrated
part of a larger (holistic) security
system. Alternatively, a biometric subsystem
could be an operating component
of the biometric system. For example, an
enrollment station with specially configured
readers/images may be referred to
as a biometric subsystem.

Section 2 44 Fundamentals of Biometrics
Biometric
Taxonomy
Biometric
Technology
Breeder
Document
A method of classifying biometrics. For
example, San Jose State University’s
(SJSU’s) biometric taxonomy uses partitions
to classify the role of biometrics
within a given biometric application. An
application may be classified as:
•
•
•
•
•
Cooperative v. Non-cooperative User
Overt v. Covert Biometric System
Habituated v. Non-habituated User
Supervised v. Unsupervised User
Standard equipment v. Non-standard
equipment
A classification of a biometric system by
the type of biometric.
Synonym for “source documents”, that
provide some basis for claims to identity
for biometric enrollment, such as passports,
birth certificates, driver licenses,
government or private sector organizational
identity cards, program eligibility
identity cards, etc.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 2 45
Buffer Overflow Most common cause of security vulnerabilities.
This occurs when more data is
put into a temporary data storage area
(buffer) than the buffer can hold. Because
buffers can only hold a finite amount of
data, the extra information can overflow
into adjacent buffers, corrupting or
overwriting the data in them. Programming
errors are one of the most frequent
causes of buffer overflow problems. In
attacks that exploit buffer vulnerabilities,
extra data is sent to the buffer with
code designed to trigger specific actions,
which can damage files, change data, or
disclose confidential information. Buffer
overflow attacks may arise from poor use
of the C programming language.
Capture The method of taking a biometric sample
from the end user.
CBEFF Common Biometric Exchange File Format
that describes a set of data elements
necessary to support biometric technologies
in a common way. These data can be
placed in a single file used to exchange
biometric information between different
system components or between systems.
The result promotes interoperability of biometric-based
application programs and
systems developed by different vendors
by allowing biometric data interchange.
Version 2 – Summer 2008

Section 2 46 Fundamentals of Biometrics
Certificate A digital representation of information
which identifies the certification authority
issuing it, names/identifies its subscriber,
contains the subscriber’s public
key, identifies its operational period, and
is digitally signed by the certification authority
issuing it.
Certificate
Authority
An authority trusted by one or more users
to create and assign certificates.
Certification The process of testing a biometric system
to ensure that it meets certain performance
criteria. Systems that meet the
testing criteria pass and are certified by
the testing organization.
Chaotic
Morphogenesis
A reference to an aspect of genetic development
that results in the unique value
of a specific human characteristic. It describes
how some human features appear
to develop on a totally random basis (for
example, the iris).
Claim of Identity When a user name, PIN, password, token,
or card accompanies a biometric sample
submitted to a biometric verification system
to claim a similarity of bodily source
with an enrolled template.
Claimant A person submitting a biometric sample
for verification or identification while
claiming a legitimate or false identity.
Closed-Set
Identification
When an unidentified end-user is known
to be enrolled in the biometric system.
Opposite of “Open-Set Identification.”
Version 2 – Summer 2008

Biometric Technology Application Manual Section 2 47
Common Criteria Standard that provides a comprehensive,
rigorous method for specifying function
and assurance requirements for products
and systems. This term is generally and almost
exclusively used by the information/
computer security community.
Compare/
Comparison
Contact/
Contactless
Crossover Error
Rate (CER)
Version 2 – Summer 2008
The process of comparing a biometric
sample against a previously stored template
and scoring the level of similarity.
An accept or reject decision of a claim to
similarity or non-similarity is then based
upon this score. See also “One-to-One”
and “One-to-Many.”
In regard to chip cards, whether the card
is read by direct contact with a reader or
has a transmitter/receiver system that allows
it to be read using radio frequency
(RF) technology up to a certain distance.
A comparison metric for different
biometric devices and technologies. The
error rate at which FAR equals FRR.
The lower the CER, the more accurate
and reliable the biometric device. Synonym
for “Equal Error Rate” (EER).
D Prime A statistical measure of how well a
biometric system can discriminate
between different individuals. The larger
the D Prime value, the better a biometric
system is at discriminating between
people.

Section 2 48 Fundamentals of Biometrics
Degrees of
Freedom
The number of statistically independent
features or virtual features in biometric
data.
Digital Signature Transformation of a message using an
asymmetric cryptosystem such that a
person who has the initial message and
the signer’s public key can accurately determine
whether the transformation was
created using the private key that corresponds
to the signer’s public key and
whether the initial message has been altered
since the transformation was made.
The encryption of a message digest with
a private key.
Discriminant
Training
A means of refining the extraction algorithm
so that biometric data from different
individuals are as distinct as possible.
Ear Shape A lesser-known physical biometric that is
characterized by the shape of the outer
ear, lobes, and bone structure.
Eigenface A method of representing a human face
as a linear deviation from a mean or average
face.
Eigenhead The three dimensional version of Eigenface
that also analyzes the shape of the
head.
Encryption Transforming a test into code in order to
conceal its meaning. For example, the
process of transforming data to an unintelligible
form in such a way that the
original data either cannot be obtained
(one-way encryption) or cannot be obtained
without using the inverse decryption
process.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 2 49
End User A person who interacts with a biometric
system to enroll or have his/her identity
checked.
End User
Adaptation
Version 2 – Summer 2008
The process of adjustment whereby a
participant in a test becomes familiar
with what is required and alters his/her
responses accordingly.
Enrollee A person who has a biometric template
on file.
Enrollment The process of collecting biometric samples
from a person and the subsequent
preparation and storage of biometric
templates representing that person.
Enrollment Time The time period a person must spend to
have his/her biometric template successfully
created.
Equal Error Rate
(EER)
The proportion of false rejections that
will be approximately equal to the proportion
of false acceptances when the
threshold is appropriately set. A synonym
for “Crossover Error Rate” (CER).
Extraction The process of converting a captured
biometric sample into biometric data so
that it can be compared to a template.
Face Monitoring A biometric application of face recognition
technology where the biometric system
monitors the attendance of an end
user at a desktop.
Facial
Thermography
A specialized face recognition technique
that senses heat in the face caused by the
flow of blood under the skin.
Failure to Acquire Failure of a biometric system to capture
and extract biometric data.

Section 2 50 Fundamentals of Biometrics
Failure to Acquire
Rate
The frequency of failure to acquire.
False Acceptance Wrongly verifying a false claim regarding
enrollment or non-enrollment in a
biometric database. Also knows as “Type
II error.”
False Acceptance
Rate (FAR)
The probability that a biometric system
will wrongly accept a false claim regarding
enrollment or non-enrollment in a
database. Also known as “Type II error
rate.” It is stated as follows:
• FAR = NFA / NIIA or
•
•
•
•
•
FAR = NFA / NIVA
Where FAR is the false acceptance
rate
NFA is the number of false acceptances
NIIA is the number of impostor identification
attempts
NIVA is the number of impostor verification
attempts
Version 2 – Summer 2008

Biometric Technology Application Manual Section 2 51
False Match Rate The probability that a biometric sample
and a template not from the same source
will be wrongly judged to be from the
same source. Used to avoid confusion in
applications that reject the claimant if his/
her biometric data matches that of an enrollee.
In such applications, the concepts
of acceptance and rejection are reversed,
thus reversing the meaning of “False Acceptance”
and “False Rejection.” See
also “False Non-Match Rate.”
False Non-Match
Rate
Version 2 – Summer 2008
The probability that a biometric sample
and a template from the same source will
be wrongly judged not to be a match.
Used to avoid confusion in applications
that reject the claimant if his/her biometric
data matches that of an enrollee.
In such applications, the concepts of acceptance
and rejection are reversed,
thus reversing the meaning of “False Acceptance”
and “False Rejection.” See also
“False Match Rate.”
False Rejection The failure of a biometric system to verify
the legitimate claim of a user to enrollment
or non-enrollment in the system.
Also known as a “Type I error.”

Section 2 52 Fundamentals of Biometrics
False Rejection
Rate (FRR)
The probability that a biometric system
will fail to accept a true claim of enrollment
or non-enrollment in a database.
Also knows as a “Type I error rate.” It is
stated as follows:
• FRR = NFR / NEIA or
•
•
•
•
•
FRR = NFR / NEVA
Where FRR is he false rejection rate
NFR is the number of false rejections
NEIA is the number of enrollee identification
attempts
NEVA is the number of enrollee verification
attempts
Field Test A trial of a biometric application in a
“real world” setting, as opposed to laboratory
conditions.
Finger Image A two-dimensional picture of the patterns
found in the tip of the finger.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 2 53
Fingerprint/
Fingerprinting
Fingerprint
Scanning
Version 2 – Summer 2008
Fingerprints are the “traces” of minute
ridges and valleys found on the finger of
every person. In the fingers and thumbs,
these ridges form basic patterns such as
loops, whorls, and arches, and also have
finer level of details, such as ridge bifurcation
and endings, pore placement
on the ridge, and feathering of ridge
boundaries.
Acquisition and recognition of a person’s
fingerprint characteristics for identifying
purposes. This allows the recognition of
a person through quantifiable biological
characteristics.
Fingerprint Sensor Part of a biometric device used to capture
a fingerprint image for subsequent
processing.
Foundation
Documents
Synonym for source documents that provide
the basis for claims to identity for
biometric enrollment. Source documents
include; passports; birth certificates; driver
licenses; government or private sector
organizational identity cards, program
eligibility identity cards, etc.
Friction Ridge The ridges present on the skin of the fingers
and toes, the palms and soles of the
feet, which make contact with an incident
surface under normal touch. On the fingers,
unique patterns formed by the friction
ridges make up fingerprints.
Genetic
Penetrance
The degree to which characteristics are
passed from generation to generation
through inherited DNA.

Section 2 54 Fundamentals of Biometrics
Hash Function A function that maps a variable-length
data block or message into a fixed-length
value called a message digest or hash
code. The function is designed so that,
when protected, it provides an authenticator
for the data or message, because
any alteration in the original message will
produce a very different hash or digest
value. The most widely-used hash function,
called Secure Hash Algorithm-1 (SHA-1),
was developed by NIST to be used with
the Digital Signature Algorithm and was
published in 1995 as FIPS 180-1.
Hashing Hash values are used for accessing data
or for security. A hash value is a number
generated from a string of text. Hashing
is a common method of accessing
data records, typically using a hash table.
Hashing is not the same as encryption.
IAFIS Integrated Automated Fingerprint Identification
System, implemented in July
1999 to replace the former paper-based
system for identifying and searching
criminal history fingerprint records. It
supports a law enforcement agency’s
ability to digitally record fingerprints
and electronically exchange information
with the FBI.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 2 55
Identification /
Identify
Version 2 – Summer 2008
The one-to-many process of comparing
a submitted biometric sample against all
of the biometric templates on file to determine
whether it matches any of the
templates and, if so, returns the identity
of the enrollee whose template was
matched. The biometric system using
the one-to-many approach is seeking to
find an identity match with a database
of identity records rather than verify a
claimed identity. Contrast with “Verification”
as a type of recognition.
Identifier A unique data string used as a key in the
biometric system to point to a person’s
identity record and its associated attributes.
An example of an identifier could
be a passport number.
IEC International Electrotechnical Commission,
a non-profit standards organization
dedicated to catalyzing positive change
in the information industry and its university
communities.
Impostor /
Imposter
A person who submits a biometric sample
in either an intentional or inadvertent attempt
to pass him/herself off as another
person who is an enrollee.
INCITS International Committee for Information
Technology Standards, the primary U.S.
standards body in the field of information
and communications technologies.
Information
Assurance (IA)
Information operations that protect and
defend information and information systems
by ensuring their confidentiality,
authentication, availability, integrity, and
non-repudiation.

Section 2 56 Fundamentals of Biometrics
In-House Test A test carried out entirely within the environs
of the biometric developer, which
may or may not involve external user
participation.
IrisCode ® The biometric template generated for
each live iris presented. The code template
is a mathematical representation of
the features of the iris.
ISO International Standards Organization,
a network of national standards bodies
from 145 countries working to develop
international standards in partnership
with international organizations, governments,
industry, business, and consumer
representatives.
ITI Information Technology Industry Council,
a trade association for U.S. providers
of IT products and services.
JTC 1 Joint Technical Committee 1, the technical
committee formed under the authority
of ISO/IEC to be responsible for
international standardization in the field
of IT.
Key In encryption and digital signatures, a
string of bits used for encrypting and decrypting
information to be transmitted.
Encryption commonly relies on two different
types of keys, a public and a private
one.
Latent / Latent
Print
An impression of a finger image collected
from a crime scene, for example.
Live Capture The process of capturing a biometric
sample by an interaction between an end
user and a biometric system.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 2 57
M1 Technical
Committee on
Biometrics
Version 2 – Summer 2008
Established in November 2001 to ensure
a high priority, focused, and comprehensive
approach in the United States for the
rapid development and approval of formal
national and international biometric
standards.
Match / Matching See “Compare / Comparison.”
Minutiae Small details found in finger images such
as ridge endings or bifurcations.
Non-Repudiation Assurance that the sender is provided
with proof of delivery and the recipient is
provided with proof of the sender’s identity
so that neither can later deny having
processed the data.
One-to-Many
(1:N)
The act of comparing stored templates
of many persons to a submitted sample
set from a single person
One-to-One (1:1) The act of comparing a stored template
of a single person to a submitted sample
set from a single person
Open-Set
Identification
Identification, when it is possible that
the individual is not enrolled in the biometric
system. Opposite of “Closed-Set
Identification.”
Optical Sensor Optics-based systems that translate the
illuminated images into digital code for
further software processing, such as enrollment
and authentication.
Out of Set In open-set identification, when the individual
is not enrolled in the biometric
system.

Section 2 58 Fundamentals of Biometrics
Passive Impostor
Acceptance
When an impostor submits his/her own
biometric sample and claims the identity
of another person (either intentionally or
inadvertently) he/she is incorrectly identified
or verified by the biometric system.
Compare with “Active Impostor Acceptance.”
Password Security measure used to restrict access
to systems, areas, or information. A password
is a unique string of characters that
a user types in as an identification code.
The system compares the code against a
stored list of authorized passwords and
users. If the code is legitimate, the system
allows the user access at whatever
security level previously approved for the
owner of that password.
Performance
Criteria
Pre-determined criteria established to
evaluate the performance of the biometric
system under test.
PIN Personal Identification Number, used in
conjunction with an access control system
or ATM, for example, as a secondary
credential by the user to ensure the
holder of the card or ID is the authorized
user.
Platen The surface on which a finger or hand is
placed during optical fingerprint or hand
geometry image capture.
Plug-and-Play An industry-wide standard for add-on
hardware that indicates it will configure
itself, thus eliminating the need to set
jumpers and making installation of the
product quick and easy.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 2 59
Private Key The part of a key pair to be safeguarded
by the owner. Used to generate a digital
signature, they are used to decrypt information,
including key encryption keys
during key exchange. It is computationally
unfeasible to determine a private key
given the associated public key.
Public Key The part of a key pair that is made public,
usually by posting it to a directory.
A public key can be either a signature
or key exchange key. The signer’s public
signature key is used to verify a digital
signature. Sending an encrypted message
requires use of the recipient’s public key
in the encryption process.
Public Key
Cryptography
(PKC)
Public Key
Infrastructure
(PKI)
Receiver
Operating Curves
Version 2 – Summer 2008
Encryption system using a linked pair of
keys. What one key encrypts, the other
key decrypts.
Portion of the security management infrastructure
dedicated to the management
of keys and certificates used by
public key-based security services. A PKI
is a credentials service; it associates user
and entity identities with public keys. A
well-run PKI is the foundation on which
the trustworthiness of public key-based
security mechanisms rests.
A graph showing how the false rejection
rate and false acceptance rate vary according
to the threshold.
Recognition From the Latin “again” and “to know.”

Section 2 60 Fundamentals of Biometrics
Reference Data that represents the biometric
measurement of an enrollee used by a
biometric system for comparison against
subsequently submitted biometric samples.
Alternatively, see “Template.”
“Reference” is a broader term than
“Template” and describes any data used
in the matching process.
Response Time The time period required by a biometric
system to return a decision on identification
or verification of a biometric
sample.
Ridge The raised markings found across the
fingertip.
Ridge Ending The point just beyond that at which a fingerprint
ridge ends. The point at which
the valley in front of the fingerprint ridge
bifurcates.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 2 61
Robustness A characterization of the strength of a
security function, mechanism, service,
or solution, and the assurance (or confidence)
that it is implemented and functioning
correctly. For example, the U.S.
Department of Defense has three levels
for robustness:
Version 2 – Summer 2008
• Basic:
Security services and mechanisms
that equate to good commercial
practices.
• Medium:
Security services and mechanisms
that provide for layering of
additional safeguards above good
commercial practices.
• High:
Security services and mechanisms
that provide the most stringent
protection and rigorous security
countermeasures.
Sensor Hardware found on a biometric device
that converts biometric input into electrical
signals and conveys this information
with the attached computer.
Source Documents Used to provide the basis for claims to
identity in biometric enrollment includes;
passports, birth certificates, driver licenses,
government or private sector organizational
identity cards, program eligibility
identity cards, etc. See also Breeder Documents
and Foundation Documents.

Section 2 62 Fundamentals of Biometrics
Symmetric Key Encryption methodology in which the
encryptor and decryptor use the same
key, which must be kept secret.
TAG Technical Advisory Group, appointed by
ANSI to represent the ANSI (U.S.) position
in various disciplines to ISO/IEC for development
of international standards. In IT,
INCITS has been appointed TAG to ISO/
IEC JTC 1.
Template See “Reference.” The code that contains
the biometric characteristic or sample
Third Party Test An objective test, independent of a
biometric vendor, usually carried out
entirely within a test laboratory in controlled
environmental conditions.
Threshold
/ Decision
Threshold
The comparison score above or below
which a claim of a match between a sample
and a template is accepted or rejected.
The threshold may be adjustable so that
the biometric system can be more or less
strict, depending on the requirements of
any given biometric application.
Throughput The total time required for one user to
complete the matching transaction in a
biometric system/subsystem. In a verification
type system, it would include the
entry of an identifier or PIN by the user.
Throughput Rate The number of end users that a biometric
system can process within a stated time
interval.
Type I Error Statistical term for rejecting a true
hypothesis.
Type II Error Statistical term for accepting a false
hypothesis.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 2 63
User The client of any biometric vendor. The
user must be differentiated from the end
user and is responsible for managing and
implementing the biometric application
rather than actually interacting with the
biometric system.
Validation The process of demonstrating that the
system under consideration meets in all
respects the specification of that system.
Verification /
Verify
Version 2 – Summer 2008
The process of proving as true some
claim about enrollment in a biometric
system. In systems where the user makes
a positive claim to be enrolled as a specific
user, this is done by comparing a
submitted biometric sample against the
biometric template of the single enrollee
whose identity is being claimed. Some
systems, such as those based on the
Daugman iris recognition algorithms,
verify unspecific claims to identity by a
complete search of the enrollment database.
Thus a user’s positive claim to enrollment
in a biometric database can be
accomplished by either a “one-to-one”
or a “one-to-many” search. Verification
is distinguished from identification
in that the user’s “identity record” is not
returned by a verification system. A type
of recognition.
Volatiles A term specific to “body odor” biometric
technology. It is the chemical breakdown
of body odor. (DARPA calls this “emanations.”)
Wavelet Scalar
Quantization
A compression algorithm used to reduce
the size of fingerprint images.

Section 2 64 Fundamentals of Biometrics
X9.84 Biometrics X9.84 Biometrics Management and Security
for the Financial Services Industry.
Specification that defines the minimumsecurity
requirements for effective management
of biometric data for the financial
services industry and the security for
the collection, distribution, and processing
of biometric data.
Zero Effort Attack A casual attempt to defraud a biometric
system in which the impostor falsely
claims to be a randomly chosen enrollee,
submitting the impostor’s own biometric
sample without alteration.
NOTE: The biometric community is not yet in general agreement
on the use of terms and definitions. As a result, even standards
bodies working in this area have yet to produce a definitive glossary.
This glossary is intended to define terms associated with
biometrics as used by NBSP within the BTAM. Where appropriate,
alternative usage is also described.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 3 1
Section 3: Types of Biometric
Technologies
When used for personal identification, biometric technologies
measure and analyze human biological and
behavioral characteristics. Identifying a person’s biological
characteristics is based on direct measurement of a
part of the body, such as fingerprints, hand structure, facial
features, iris patterns, and others. The corresponding
biometric technologies are fingerprint recognition,
hand geometry, facial, and iris recognition, among others.
Biometric systems using predominantly behavioral
characteristics are based on data derived from actions,
such as speech and signature, for which the corresponding
biometrics are speaker verification and dynamic signature
analysis. Almost all biometrics, however, incorporate
both biological and behavioral components.
Biometrics are an effective personal identifier because
the characteristics measured are distinct to each person.
Unlike other identification methods that use something
a person has, such as an identification card to gain access
to a building, or something a person knows, like a
password or PIN to log on to a computer system, the biometric
characteristics are integral to something a person
is. Because biometrics are tightly bound to an individual,
they are more reliable, cannot be forgotten, and are less
likely to be lost, stolen, or otherwise compromised.
This Section of the BTAM describes in more detail how the
commonly used biometrics function. They are presented in
alphabetical order by type of technology.
Version 2 – Summer 2008

Section 3 2 Types of Biometric Technologies
Dynamic Signature Analysis
How the Technology Works
Signature recognition authentication or dynamic signature
analysis authenticates identity by measuring and
analyzing handwritten signatures. Dynamic signature
analysis does not rely on the physical appearance of the
signature, but instead on the manner in which a signature
is written, using a stylus on a pressure-sensitive
tablet to track hand movements. This technology measures
how the signature is signed, looking at changes in
pressure, position, and velocity of the pen during the
course of signing, using a pressure-sensitive tablet or
personal digital assistant (PDA).
Some dynamic signature recognition technologies can
also track a person’s natural signature fluctuations over
time. While it may be easy to duplicate the visual appearance
of a signature, it is difficult to duplicate the
behavioral characteristics when someone signs his/her
signature.
Signature verification consists primarily of a specialized
pen (or stylus) and writing tablet, which are connected to
a computer for processing and verification. To begin the
data acquisition phase of enrollment, the individual must
sign his/her name multiple times on the writing tablet.
After the data is acquired, the signature verification system
extracts writer’s behavioral characteristics, including
how long it took the person to sign his/her name;
the pressure applied; the speed in signing the signature;
the overall size of the signature; and the quantity and
various directions of the strokes in the signature, and
uses this information in future comparison of the live
Version 2 – Summer 2008

Biometric Technology Application Manual Section 3 3
signature to the enrollment template for the verification
of enrollment claims.
Dynamic signature recognition is considered a “behavioral”
biometric technology, although the handedness of
the user (a biological characteristic) plays a large role in
the method of signing.
Robustness
Dynamic signature analysis devices have proved to be reasonably
accurate in operation and lend themselves to applications
where the signature is an accepted identifier.
One of the suggested advantages for signature verification
is that it has a high level of resistance to impostors.
For example, although it is easy to forge a signature, it is
difficult to mimic the behavioral patterns associated with
signing one’s signature. This technology would work well
in high-value transactions.
Signature verification is considered a non-invasive tool
because people are currently accustomed to providing
a signature to authorize transactions. As a result, there
could be a high level of acceptance on the part of the
end-user for this technology. Using signatures for commerce
is common, so there are virtually no privacy rights
issues involved.
Limitations
Some systems have difficulties with individuals whose
signature changes substantially each time it is written or
with left-handed people.
Version 2 – Summer 2008

Section 3 4 Types of Biometric Technologies
There are a number of constraints in the data acquisition
phase:
•
•
•
A signature cannot be too long or too short. If it
is too long, there will be too much behavioral data
presented, and as a result, it will be difficult for the
signature verification system to identify consistent
and unique data points. If a signature is too short,
there will not be enough data present, which will
lead to a higher false accept rate.
The user must complete the enrollment and verification
processes in the same type of environment
and conditions. For example, if the user was standing
in the enrollment phase, but sitting in the verification
phase, and/or resting his/her arm in one
phase but not in the other phase while signing, the
enrollment and verification templates tend to be
substantially different from each other.
Signature verification is prone to an increase in the
level of error rates over time. This happens when the
behavioral characteristics of the signatures are inconsistent
among each other. Users may also have
difficulties in getting acclimated to the use of the
signature tablet, which also increase the chances for
higher error rates.
Applications
Despite its user friendliness, long history, and lack of
invasiveness, signature verification has not become a
market leader like other biometric technologies (i.e.,
fingerprint). Some documented applications include:
Chase Manhattan Bank, the first known bank to adopt
Version 2 – Summer 2008

Biometric Technology Application Manual Section 3 5
signature verification technology; IRS for verification
purposes in tax returns that have been filed online; and
Charles Schwab & Company for new client applications.
Most likely, the biggest market application for
signature verification will be in document verification
and authorization.
Facial Imaging or Recognition
How the Technology Works
Facial imaging or recognition identifies people by comparison
of sample images to stored templates using
mathematical analysis of the groups of acquired pixels.
Facial imaging is not based on common “facial features,”
such as cheeks, nose, chin, and mouth, which cannot be
found reliably by current algorithms. Most systems, however,
must find the eye centers for the purpose of isolating
the face in a large image. Systems using facial recognition
technology capture facial images using digital
cameras and, like their biometric technology counterparts,
generate templates for comparing a live face to a
stored enrollment template. Facial recognition is most
commonly used in the verification mode.
There are four primary methods used by facial imaging
or recognition vendors for generating facial-based
biometric templates and identifications. These include:
1.
“Spectral Decomposition Methods (Eigenfaces and
Local Feature Analysis)”,
Version 2 – Summer 2008

Section 3 6 Types of Biometric Technologies
2.
3.
4.
Elastic bunch graph matching,
Support Vector Machines, and
Local Correlation (“texture”) Methods.
“Eigenface”, deriving from the well known mathematical
technique of Principal Component Analysis based on
“eigen vectors”, is a technology with some patents held
by MIT. It uses two dimensional, global grayscale images
to “decompose” a facial image. That is, a facial image is
represented by some combination of factory-set, global
(full face) eigenfaces, added up like overlaid transparencies.
These eigenfaces resemble “ghost” faces. Any face
image can be approximated by some combination of the
ghost-like eigenfaces. The particular weightings of the
factory-standard eigenfaces required to represent the
sample is stored as the template. Matching is then attempted
by comparing the weightings required to represent
a sample face to those stored as the template. If
they are similar, the images may have come from the
same source. Because the basis transparencies are “global”
(looking like an entire face), any change in a sample
facial image changes the required weightings for all of
the eigenface components.
Local Feature Analysis is based on the same principle as
eigenfaces, but each basic factory-set transparency does
not look at all like a “ghost” image. Rather, most of the
basis transparencies are 0 (zero) valued, having non-zero
values over only a small local portion of the face image.
Consequently, it is more flexible in accommodating
changes in facial appearance and/or expressions. The
LFA method uses dozens of features from various areas
of the face. This method is not a global representation
Version 2 – Summer 2008

Biometric Technology Application Manual Section 3 7
of the face.
Elastic Bunch Graph Matching (EBGM) was developed by
Professor Christoph von der Malsburg at the University
of Southern California. In this method, a bendable grid is
placed on the face image and Gabor filters of various size,
orientation, and frequency are placed on each vertex of
the grid. The values of the image under the various filters
form a “jet” (a series of numbers) on each vertex of the
grid. These jets are stored as the reference. When a sample
face is compared to the reference, moderate bending
of the grid is allowed to create sample jets of best fit to
the reference.
Support Vector Machines have been successfully used
by vendors, as well. The many thousand individual pixels
of a face image are multiplied by a “kernel” to actually
increase the number of numerical values representing
the face. The kernel is chosen to provide maximum
separation of the various faces in the new, higher dimensional
space.
Local Correlation (“texture”) Methods analysis, also called
“texture mapping,” looks for small regions of similarity
between the pixels of the sample image and pixels of the
template, saved as an entire image. If enough of these regions
can be found and if they are in the same basic areas
of both images, the images are deemed to have come
from the same source.
Version 2 – Summer 2008

Section 3 8 Types of Biometric Technologies
There is no clear indication as to which method is most
appropriate for any individual application. More recently,
vendors have begun to combine approaches, producing
hybrid systems.
Variations
“Facial thermography” or thermal imaging is another
type of facial biometric. It is a specialized face recognition
technique that senses heat in the face caused by the
flow of blood under the skin. Thermal imaging systems
can hypothetically be combined with other systems to
produce more accurate authentication applications, or
used separately for different purposes. Developed in the
early 1990s, this technology was initially expensive and
never commercially successful.
For more information on Facial Thermography, see
“Other Biometric Technologies.”
Robustness
The concept of recognizing someone by his/her face is
intuitive and the most common means humans use to
identify one another on sight. Because of this, there are
several advantages to using facial recognition, including:
•
Facial recognition can leverage existing databases
that currently house facial images or photographs,
such as a driver license database or mug shots of
criminals. However, the extent to which such “legacy”
files may be useful is dependent on the quality of
the image and nature of the environment (lighting,
etc.) in which the original photo was acquired.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 3 9
•
•
•
Facial images can be captured from some distance
away and without any physical contact, providing a
clandestine or covert capability, if needed. For this
reason, facial recognition is perceived as the only biometric
suitable for “surveillance” applications.
Facial recognition can also utilize commercially available
digital camera technology used for video teleconferencing
or close circuit television (CCTV) cameras
used in surveillance applications.
Facial recognition technology is often perceived
as less intrusive than other biometric technologies
where contact with the reader is required.
The covert nature and potential uses of facial recognition
technology can sometimes prompt legal concerns. For a
discussion regarding legal and privacy concerns, refer to
BTAM Section 7, Part 1: Societal Issues.
Limitations
The majority of facial recognition algorithms seem to be
sensitive to variations in Pose angle, Illumination, facial
Expression, and Currency (the PIEC problem). Change
in illumination results in a significant performance drop
and has proven difficult to use these technologies outdoors.
Changing facial position can also have an effect
on performance. Any difference in position between the
query image and a database image can adversely affect
performance. At a difference of 45 degrees, recognition
can be ineffective.
Ideally, for facial recognition systems to perform with relatively
high accuracy, subjects should be photographed
Version 2 – Summer 2008

Section 3 10 Types of Biometric Technologies
and enrolled under tightly controlled conditions. Each
subject/user should look directly into the camera and fill
the area of the photo for the automated system to reliably
identify the person, or even detect, his/her face in
the photograph.
Many face verification applications make it mandatory to
acquire images with the same camera. However, some
applications, particularly those used in law enforcement,
allow image acquisition with many camera types. Camera
variation potentially affects system performance as
much as changing illumination.
The surveillance and non-intrusive aspects of facial recognition
technology have a perceived downside in that
they are more adaptable to covert use and raise issues
regarding civil liberties if the scope of use is not carefully
controlled.
It is necessary to keep stored enrollment image templates
up-to-date, since a person’s appearance changes
(both naturally and, sometimes, deliberately) with time
and age. It is recommended to encourage users to update
their facial enrollment template at least every couple
of years.
As mentioned, facial imaging is most commonly used
for verification but NIST suggests that it not be used for
identification. 23
23 According to “Summary of NIST Patriot Act Recommendations.”
See http://www.itl.nist.gov/iad/894.03/pact/NIST_
PACT_REC.pdf
Version 2 – Summer 2008

Biometric Technology Application Manual Section 3 11
Applications
Unlike other biometric technologies, implementing a facial
recognition system has its own set of challenges that
other technologies may not experience. For example,
other biometric technologies might work in different
kinds of application environments and, to a certain degree,
may not be affected as much by external variables.
With facial recognition, performance can be greatly influenced
by the type of application setting that is used.
Application environments for facial recognition systems
can be categorized as “controlled” and “random.” In a
controlled environment, there is not much variation in
the background conditions or lighting. The user will look
into the camera and good quality enrollment and verification
templates will be created. A typical example of a
controlled environment is of a physical access entry at a
location or site.
In a random environment, however, there is more variation.
A typical example of a random setting is in surveillance.
Facial recognition systems have not been successfully
used at airports for such purposes. Results are poor
because the facial recognition system has to identify and
filter faces from different lighting environments, angles,
poses, and different locations with varying background
distractions.
Facial recognition, with heavy operator assistance and
not in the automatic mode, has been used to identify
card counters in casinos. Facial recognition has also been
successful in access control, whether to a location, building,
room, or for computer access. Face recognition has
been successfully applied as a tool for screening individuals
to see if they are already known to the system. This
Version 2 – Summer 2008

Section 3 12 Types of Biometric Technologies
is used for fraud prevention when individuals apply for
visas or driver’s licenses. The same technique is used in
some law enforcement jurisdictions during the criminal
booking process to get an immediate indication of the
identity of an arrestee well before a FBI fingerprint check
is conducted.
“Face monitoring” is a biometric application of face recognition
technology where the biometric system monitors
the presence of a user, often at a desktop. This technology
can be overt or covert in nature.
Fingerprint
How the Technology Works
Some argue that fingerprint identification was not a true
biometric until the emergence of the more recent fully-
automated systems. More accurately, fingerprints represent
the transition from a manual biometric to the automated
form of the technology.
Fingerprints have long been used to identify people. In
14th century China, they were used as a form of signature.
Today, fingerprint verification technology is the
most prominent biometric technology, used by millions
of people worldwide.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 3 13
Figure 3-1 Examples of various fingerprint ridge patterns. 24
It is estimated that the number of possible fingerprint
patterns is 10 to the 48th power. 25 Fingerprint technology
can be used effectively in both verification (1:1) and
identification (1:N) applications.
Fingerprint verification systems work by identifying the
locations of small lines or ridges found in the fingerprint.
They extract features from impressions that are made by
these distinct ridges. Typically, fingerprints are either flat
(capture by placing a finger directly on the scanner) or
rolled (rolling the finger from one edge of the fingernail
to the other). A flat fingerprint is an impression of the
area between the fingertip and the first knuckle, which a
rolled fingerprint also includes an impression of the ridges
on both sides of the finger.
24 Graphic from University of Alabama in Huntsville Integrated Biometrics
Laboratory
25 According to Gartner Dataquest.
Version 2 – Summer 2008

Section 3 14 Types of Biometric Technologies
Fingerprint-based systems can also be further categorized
into four broad groups: Minutiae-based matching
(analyzing the local structure), direct correlation techniques,
optical comparison, and spectral ridge-pattern
matching (analyzing the ridge or global structure) of the
fingerprint. Most fingerprint technology vendors’ algorithms
analyze minutiae points. The current international
standard for minutiae extraction recognizes two common
characteristics as comprising minutia points: ridge
endings (the end of a ridge) and bifurcations (Y-shaped
split of one ridge into two ridges).
Fingerprint ridge patterns as seen in Figure 3-1 are captured
by the system and groupled into several categories:
left and right loops; whorls; and others.
When fingerprint patterns are captured and analyzed,
about 5% of all fingerprint patterns are arches; 30% are
whorls; and 65% are loops, divided approximately equally
into left and right loops. 26
Ridge Spectral Pattern-based Algorithms
How the Technology Works
In matching ridge patterns, the image is divided into
small square areas about five pixels on a side. The
ridge wavelength, direction, and phase displacement
for each small square is encoded and used as the basis
for the biometric template. Ridge pattern matching
26 Biometric Technologies. Cynthia Traeger and Howard Falk (doc id
00016761). Faulkner Information Services, a division of Information Today.
2002.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 3 15
algorithms use a process
of aligning and overlaying
segments of fingerprint
images to determine similarity.
Minutia-based Algorithms
A typical fingerprint image may
produce between 15 and 70 minutiae,
depending on the portion
of the image captured. The most
prevalent minutiae are ridge endings.
27 Minutiae algorithms plot
the relative position and type of
points (minutiae) where ridge lines
branch apart (bifurcate) or terminate
(end).
Variations
There are a number of variations to fingerprint matching
algorithms and template formats, including optical techniques
- dating to the 1960s and formerly of great interest
to the FBI and direct correlation techniques in which
areas of ridge patterns from fingerprints are directly
overlaid. [Some fingerprinting sensors can detect when
a live finger is presented but cannot tell whether the fin-
27 Technology Assessment: Using Biometrics for Border Security. U.S.
General Accounting Office. November 2002 pg. 143
28 Graphic from “Fingerprint Matching Using Minutiae and Texture
Features.” Proceedings of the International Conference on Image
Processing (ICIP), Greece. Anil Jain, Arun Ross, Salil Prabhakar. October
2001 IEEE. Used with permission.
Version 2 – Summer 2008
Figure 3-2 Minutia-based fingerprint
image with detected
minutia points marked. 28
® IEEE 2001. Used with
permission.

Section 3 16 Types of Biometric Technologies
gerprint on the finger is live or synthetic].
Rolled fingerprints have been used for identification for
decades - most commonly known from police dramas
where the suspect’s fingerprints are inked and rolled
side-to-side on a white paper - and provide an accurate
means of identification. Operators, however, must be
well trained to collect good quality rolled fingerprints;
the process is slow and requires manual rolling of each
of the subject’s fingers by the operator.
Single-finger flats are typically used for verification systems
and/or in small to medium-sized identification systems.
Accuracy and reliability are good for most applications.
Several studies have reasonably shown, though,
that identification accuracy increases substantially as the
number of fingers (and thus fingerprints) used increases,
indicating that at least four fingers should be used for
larger-scale identification systems. Because of this, the
use of multi-finger “slaps” can offer improvements in performance
accuracy and efficiency over the use of singlefinger
flats, especially since four fingerprints can be collected
in each image.
Slap fingerprints (slaps) are taken by simultaneously
pressing the four fingers of one hand onto a scanner or
fingerprint card. Slaps are also known as four-finger simultaneous
plain impressions. They are, simply, multiple
flat fingerprints captured at the same time. Slap fingerprints
have received increasing attention for possible use
in large-scale fingerprint identification systems as a possible
compromise between the use of rolled fingerprints
and single-finger flat fingerprints. A number of issues
must be addressed in order to use slap fingerprints in
an operational system. It is critically important to enroll
Version 2 – Summer 2008

Biometric Technology Application Manual Section 3 17
each of the prints in the correct finger order. Enrolling
fingerprints out of sequence can result in increased user
errors and false rejections. Operationally, slap fingerprint
scanners tend to be larger and more expensive than single-finger
fingerprint scanners. 29
Robustness
Fingerprint patterns are stable throughout one’s lifetime,
and unique and easily analyzed and compared. Fingerprint
systems are easy to use, in most cases requiring the
user to simply touch a platen with his/her forefinger. In
addition to being secure, most fingerprint systems are
relatively inexpensive.
Limitations
Capable of high accuracy levels, fingerprint devices
can suffer from usage errors when users are not properly
trained in system usage and/or motivated to cooperate
when placing their finger(s) on the reader. This
is, of course, not limited to fingerprint systems and extends
to all biometric technologies. Conditions must be
right for accurate authentication; for example, wet or
moist fingers, cuts on fingers, or dirt or grease can sometimes
affect the authentication process. Additionally, as
with other biometric methods where a platen must be
touched, some people are uncomfortable with touching
something that other people have touched repeatedly
29 Portions from Slap Fingerprint Segmentation Evaluation 2004
(SlapSeg04) Analysis Report (NISTIR 7209). Bradford Ulery, Austin Hicklin,
Craig Watson, Michael Indovina, and Kayee Kwong. http://fingerprint.nist.gov/slapseg04/ir_7209.pdf
Version 2 – Summer 2008

Section 3 18 Types of Biometric Technologies
before them.
Other concerns involve the aspects of occupational impact.
The use of hands in constant contact with abrasives
or chemicals may interfere with fingerprint readers.
There are consistent reports of genetic influence in population
segments regarding an impact on image quality,
but good documentation on this “outlier” influence
is hard to find.
Applications
Fingerprint biometrics have four main application areas:
large-scale Automated Fingerprint Imaging Systems
(AFIS) that are generally used by law enforcement,
for fraud prevention in entitlement programs, physical
access control (doors) and “logical” access to computer
systems.
Workstation access applications seem to be based almost
exclusively around fingerprints, due to the relatively low
cost, small size (easily integrated into keyboards, mice,
and laptops) and ease of integration.
Hand Geometry
How the Technology Works
Historically, hand geometry systems have dominated
the access control and “time and attendance” market
in terms of biometrics being used for these purposes.
Hand geometry-based verification systems measure the
layout of a person’s hand, including the fingers, joints,
and knuckles. Some systems measure the geometry of
Version 2 – Summer 2008

Biometric Technology Application Manual Section 3 19
two fingers (see Finger Geometry).
Hand geometry measures the two-dimensional physical
characteristics of the user’s hand and fingers using an
optical camera, mirrors, and light-emitting diodes (LEDs)
to capture images of the back and sides of the hand. In
measuring size and shape, a hand geometry system collects
more than 90 dimensional measurements. In the
measurement of the different features, a person places
his/her hand flat on the reader’s surface, where pegs
guide the fingers into position. Hand geometry systems
require the user to squeeze his/her fingers against the
pegs to confirm the hand is “living” rather than a prosthetic.
Cameras capture images of the back and sides of
the hand. Only the hand’s geometry is analyzed; prints of
the palm and fingers are not taken.
Variations
Finger geometry systems work similarly to hand geometry
systems, looking at the structure of one, two, or three
fingers instead of the whole hand.
Robustness
A technology that has been used by-and-large for physical
access control, hand geometry consistently performs
well and is relatively easy to use. Accuracy can be high
and the technology can accommodate a wide range of
applications; it also integrates well into other systems
and identification processes.
Hand geometry is generally perceived as non-intrusive
and non-threatening and lacks the law enforcement as-
Version 2 – Summer 2008

Section 3 20 Types of Biometric Technologies
sociation of fingerprint systems. It is considered relatively
easy to use by the majority of the population, although
some minimal training may be necessary to help
the user learn how to align his/her hand accurately in the
reader.
Limitations
While the shape and size of the human hand is reasonably
diverse, hands are not necessarily highly distinctive.
In larger populations, for example, it is almost certain
that some people may share similar hand dimensions.
It should be noted that current hand-geometry systems
can operate only in the verification mode because of the
limited variability in hand features. Also, the usual system/hardware
design allows only the right hand to be
enrolled (if the left hand is used, it is turned upside down,
thereby creating enrollment problems and subsequent
verification problems), although left-handed readers
have been manufactured and deployed.
Additionally, in some cultures people may be uncomfortable
touching a device that many people have previously
touched. While this phenomenon may be more attributable
to the newness of biometrics than anything else—
afterall, people still use door handles, operate vending
machines, and exchange money—more insight can be
gained on such user psychology issues as they pertain to
biometrics in Section 7, Part 1: Societal Issues.
Applications
Hand geometry can be suitable for one-to-one applications
where there are larger user databases and/or where
Version 2 – Summer 2008

Biometric Technology Application Manual Section 3 21
users may access the system infrequently and, therefore,
be less disciplined in their approach to the system. As
mentioned earlier, hand geometry systems are most
commonly used in access control and/or time and attendance
applications.
Iris Recognition
How the Technology Works
Iris recognition technology is based on the patterns resident
in the iris of the eye—the colored ring surrounding
the pupil. Iris recognition technology identifies people
by the unique patterns in the iris using a fairly conventional
charge coupled device (CCD) camera. Made from
elastic connective tissue, the iris represents a richly patterned
surface under the reflective cornea of
the eye. The image of the iris under infra-red illumination
can be quantified and used to identify
an individual. Approximately 2048 binary
(0 or 1) features are captured in a “live” iris iden-
tification application. Formed by the eighth
month of gestation, iris characteristics reportedly
remain stable throughout a person’s lifetime,
except in cases of trauma or injury.
30 Photo from Dr. John Daugman, Cambridge University, The Com-
puter Laboratory.
Version 2 – Summer 2008
Figure 3-3 Iris
image showing
unique structure.
30

Section 3 22 Types of Biometric Technologies
Iris recognition systems use
a CCD camera to capture a
black-and-white, high-resolution
image of the iris under
infra-red illumination. They
then define the boundaries
of the iris, establish a coordinate
system, and define the
“zones for analysis.”
All parts of the visible iris are
processed into a reference
(template) that is often referred to as an IrisCode ® . 31 The
software locates and “eliminates” (does not encode) data
from eyelashes, eyelids and other “non-iris” sources (e.g.,
light reflections). Algorithms check for a specific pattern
reflected on the eye and may use additional measurements
to determine that the eye is living. The visible
characteristics within the “zones of analysis” are converted
into a 512-byte template that is used to identify the
individual; 256 of these bytes are control code.
Most physical access control applications require a person
to stand within three to 10 inches of the camera and
look directly into the lens, centering his/her eye based
on a guidance light or illuminated pattern on a two-way
mirror in front of the user. More interactive systems may
“verbally” prompt or signal the user to adjust his/her distance
for proper image capture. Some systems using
desktop or hand-held cameras can operate at a distance
of about 12 to 18 inches.
31 IrisCode is a trademark of Iridian Technologies, Inc.
32 Photo from Dr. John Daugman, Cambridge University, The Computer
Laboratory.
Figure 3-4 An iris image with an
IrisCode ® . 32
Version 2 – Summer 2008

Biometric Technology Application Manual Section 3 23
Robustness
It can take one to two seconds for an iris recognition system
to identify a person’s iris pattern. A template iris pattern
code (or IrisCode ® ) contains less than half of a kilobyte
of data, resulting in a small “electronic footprint.” Up
to one million records-per-second can be scanned using
a standard personal computer.
Iris-based systems have the lowest false match rates
among all currently available biometric methods, and are
the least intrusive technique of the eye-based biometrics.
It is one of the few biometric systems, besides fingerprinting,
that works well in “identification” (one-to-many
comparison) mode. The technology also works well with
eyeglasses and non-patterned contact lenses in place,
as well as with a variety of ethnic groups, including hose
persons with dark irises. The International Standard ISO
19704-6 recommends that eyeglasses be removed for
the enrollment process and hard contact lenses and patterned
soft contact lenses should be removed. (Implicit
for enrollment and recognition).
Iris patterns are thought to be highly distinctive. Not
even the patterns of one’s own irises are the same, and
identical twins each have different iris patterns as well.
Iris patterns are thought not to change over the course
of one’s lifetime, but scientists responsible for the development
of iris recognition software have recently stated
that more research in the area is needed.
Version 2 – Summer 2008

Section 3 24 Types of Biometric Technologies
Limitations
Ease of use can be an issue with some iris recognitionbased
systems since the user must line-up his/her eye
with the camera. In most cases, the current technology
does not lend itself to surveillance applications or where
users are moving quickly, as it requires the user to stop
for a few seconds and look directly into the camera to
be identified. However, “iris on the move” systems have
been successful. Even blind persons, if the iris is intact
and useful, can use an iris recognition system, but will
need additional assistance or guidance to position their
eyes appropriately.
People who believe in iridology 33 think that the imaging
of their irises will reveal their medical conditions and
diseases, such as pregnancy, heart disease, diabetes,
AIDS, or high blood pressure. No scientific study has established
that iris recognition templates can provide information
about a person’s health, and iridology has no
known scientific support.
Applications
Some programs and applications include: Airline passenger
screening, border security, facility access control,
computer login, ATMs, inmate identification in correctional
facilities, and grocery stores (for automated check
out). The Charlotte-Douglas International Airport uses
iris recognition for physical access of workers when en-
33 Iridology is the study of the iris to determine health problems. Iridologists
believe that changing patterns in the iris can reveal health conditions,
although the practice cannot detect specific diseases.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 3 25
tering non-public areas of the airport. During the Winter
Olympics in Nagano, Japan, an iris recognition system
controlled access to the rifles used in the biathlon. The
United Arab Emirates has used an iris recognition biometric
screening system for over two years to screen all
arriving visa holders at their points of entry to detect previously
deported persons. The United Nations has also
successfully used the system in refugee control applications.
Keystroke Analysis/Keystroke Dynamics
How the Technology Works
Keystroke dynamics, or analysis, is also referred to as typing
rhythms. It is an automated method of analyzing the
way a user types at a terminal or keyboard, examining dynamics
such as speed, pressure, total time taken to type
particular words, and the time elapsed between hitting
certain keys. Specifically, keystroke analysis measures
two distinct variables: “dwell time,” which is the amount
of time a person holds down a particular key, and “flight
time,” which is the amount of time it takes between keys.
The technique works by monitoring the keyboard inputs
at thousands of times per second in an attempt to identify
the user by his/her habitual typing rhythm patterns.
Keystroke verification techniques can be classified as either
static or continuous. Static verification approaches
analyze keystroke verification characteristics only at specific
times, for example, during the login sequence. Static
approaches provide more robust user verification than
simple passwords but do not provide continuous security.
They cannot, for instance, detect a substitution of
the user after the initial verification. Continuous verifica-
Version 2 – Summer 2008

Section 3 26 Types of Biometric Technologies
tion monitors the user’s typing behavior throughout the
course of the interaction.
In comparison to other biometric technologies, keystroke
dynamics is probably one of the easiest to implement
and administer. This is primarily because the technology
is completely software-based; there is no need to
install any new hardware. All that is needed is the existing
computer and keyboard.
For enrollment, the individual must type a specific word
or group of words. In most cases, the username and password
of the individual is used. It is important that this
same word or phrasing is used in both the enrollment
and verification processes. Otherwise, the behavioral
characteristic of typing will be significantly different, and
as a result, there will be a mismatch between the enrollment
template and verification measures.
To create the enrollment template, the user must type
his/her name and password about 15 times, and it is recommended
that this process occur over a period of time
rather than at a single point in time. This is because the
inconsistent behavioral characteristics will be averaged.
With keystroke dynamics, the individual must type without
making any corrections, or the system will prompt
the user to start completely over again.
The distinctive behavioral characteristics that are measured
by keystroke dynamics include:
•
•
•
Cumulative typing speed
The time elapsed between consecutive keystrokes
The time that each key is held down
Version 2 – Summer 2008

Biometric Technology Application Manual Section 3 27
•
•
The frequency of the individual in using other keys
on the keyboard, such as the number pad or function
keys
The sequence utilized by the individual when attempting
to type a capital letter (for example, does
the user release the shift key or the letter key first?)
These behavioral characteristics became statistical profiles,
then the enrollment template and verification samples.
These templates also store the actual username
and password. The statistical profile scan can either be
“global” or “local.” With a “global” profile, all of the typing
behavioral characteristics can be combined, or with a “local”
profile, the behavioral characteristics are measured
for each keystroke.
Robustness
The extent of the statistical correlation needed to declare
a match between the enrollment template and verification
measures can be modified to accommodate the required
security level. An application that requires a lower
level of security will permit for diffrences in the typing
behavior. However, an application that requires a higher
level of security will not permit any differences in the typing
behavior.
Keystroke dynamics technology does not require any
additional, specialized hardware to implement. It is also
easily integrated with other existing authentication processes.
And minimal training is required for an individual
to use a keystroke dynamic-based system, as people are
accustomed to typing in a username and password on a
keyboard.
Version 2 – Summer 2008

Section 3 28 Types of Biometric Technologies
Templates generated by a keystroke recognition system
are specific only to that username and password used
to generate the template. Should the username and/or
password be tampered with, the user needs only to select
a new username and password to create a new set of
enrollment templates and verification measures.
The use of a primarily behavioral trait—keystrokes—
which may have a smaller biological component than
other biometrics, such as the iris—as a personal identifier
has inherent limitations. When coupled with traditional
biological biometric technologies, keystroke dynamics
allows for a more robust authentication system than traditional
password-based alternatives alone.
Limitations
The inherent limitations of keystroke dynamics as an authentication
mechanism are attributed to the nature of
the template “signature” and its relationship to the user—recognizing
users based on habitual rhythm in their
typing patterns uses dynamic performance features that
depend on an act, and that rhythm is a function of the
user and the environment.
Keystroke dynamics-based systems possess the same
flaws as username/password systems in that they do not
ease the burden of having to remember multiple passwords,
decrease the administrative costs of having to
reset passwords, nor enhance convenience to the indi-
Version 2 – Summer 2008

Biometric Technology Application Manual Section 3 29
vidual using the system. Rather, keystroke dynamics enhances
the security to an existing username/passwordbased
system.
Keystroke dynamics-based systems are only used in oneto-one
verification applications and cannot be used in
one-to-many identification applications due to the limitations
in the matching accuracy.
Additionally, keystroke dynamics has not been fully tested
in wide-scale deployments. 34
Applications
One potentially useful application is computer access,
where this biometric could be used to verify the computer
user’s identity continuously. Dynamic or ongoing
monitoring of the interaction of users while accessing
highly restricted documents or executing tasks in environments
where the user must be “alert” at all times (for
example, air traffic control) is an ideal scenario for the
application of a keystroke authentication system. Keystroke
dynamics may be used to detect uncharacteristic
typing rhythms such as those brought on by drowsiness,
fatigue, etc., and alarm a third party.
34 As of this writing.
Version 2 – Summer 2008

Section 3 30 Types of Biometric Technologies
Palmprint
How the Technology Works
The palmprint is made up of principal
lines, wrinkles, and ridges. In the
palmprint, some kinds of features
could be considered “geometry” features
(e.g., width, length, and area
of palm), line features (e.g., principal
lines, coarse wrinkles, and fine wrinkles)
and point features (e.g., minutiae
and delta points). Palmprint
verification—to determine whether
two palmprints are from the same
palm—can use the physical features
mentioned above to verify the identity
of a live person.
Palm biometrics is close to fingerprinting in that ridges,
valleys, and other minutiae data are found on the palm
as with finger images.
There are two approaches to palmprint recognition. 35
One approach transforms palmprint images into specific
transformation domains, including Eigenpalm, Gabor
filters, Fourier Transform, and wavelets. Another approach
is to extract principal lines and creases from the
palm. This approach, however, is often difficult because
it is sometimes troublesome to extract the line structures
35 According to Palmprint Recognition with PCA and ICA. Tee Connie.
Multimedia University, Melaka, Malaysia.
36 Image from Personal Verification using Palmprint and Hand Geometry
Biometric. Kumar, Wong, Shen, and Jain. 2003.
Figure 3-5
Example of
palmprint
patterns. 36
Version 2 – Summer 2008

Biometric Technology Application Manual Section 3 31
that can discriminate one person from another. Creases
and ridges of the palm often cross and overlap each other,
which complicates the feature extraction task.
Robustness
Like fingerprints, palmprint patterns are stable throughout
one’s lifetime, are unique, and cannot be forged or
transferred. Unlike fingerprints, palmprints are claimed
to be less likely to wear away due to excessive or occupational
abuse, but there is no data to support that claim.
Limitations
Vulnerabilities and issues surrounding the use of palmprint
technologies are much the same as those for fingerprint
biometrics. Excessive dirt, grime, or oils on the
skin can dirty the platen, potentially causing false reads
or non-reads of users. Likewise, fingerprint and other
biometrics that require a user to physically touch a reader,
some users are hesitant to touch something that many
people have touched before them.
Additionally, some users may fail to touch all or enough
of their palm onto the imaging platen, so an adequate
reading can be taken.
Applications
Law enforcement’s interest in palmprints applications is
prompted by the latent palmprints found at crime scenes,
which can be just as useful as latent fingerprints for crime
solving. States such as California, Connecticut, Virginia,
and Wisconsin are among those adopting palmprint rec-
Version 2 – Summer 2008

Section 3 32 Types of Biometric Technologies
ognition in their law enforcement activities. The technology
is also appropriate for the access control market.
Additionally, adding palmprint recognition to fingerprint
systems could help improve the identity verification provided
by fingerprints in cases where fingerprint images
cannot be properly acquired (e.g., due to dry skin). Similarly,
palmprint biometrics could be symbiotic with hand
geometry systems, providing a higher degree of accuracy
in identification when the two technologies are combined
into a single system.
Retinal Scan
How the Technology Works
Research conducted in the 1930s suggested that the
patterns of blood vessels in the back of the human eye
were unique to each individual, making retinal scan one
of the oldest known biometrics. Nevertheless, it should
be noted at the onset that retinal scanning—despite its
accuracy potential—has been and will continue to be
a marginal biometric technology in public applications
that require a high degree of user acceptance.
Retinal blood vessel patterns are highly distinctive traits.
Like iris patterns, every human eye has its own unique
pattern of retinal blood vessels, including the eyes of
identical twins.
The retina is small, internal to the eye, and thus difficult
to image - making image capture and analysis a more
difficult challenge than other biometric traits. To use a
retinal scanning system, the user must position his/her
eye very close to the lens of the retina-scan device, look
Version 2 – Summer 2008

Biometric Technology Application Manual Section 3 33
directly into the lens at a small green light, and remain
still while maintaining visual focus on the light. During
this time, a light detector (not a laser or camera, as depicted
in popular sci-fi movies) scans the retina illuminated
using infrared light shown through the pupillary
opening. Because of the close proximity requirements
between the user’s eye and the reader, and the small diameter
of the pupil, even the slightest movement can
interfere with the identification process and force a retry.
Although the identification process can take 10–15
seconds once users are familiar with the system, enrollment
can often take several minutes as users are learning
how to interact with this technology. It is important
to emphasize that the retinal scanning devices formerly
commercially available did not image the retina, but
only detected return light from the retina as the scanning
illuminator swung in a circular pattern.
Robustness
The blood vessel pattern of the retina rarely changes over
the lifetime of an individual, unless he/she is afflicted by
a disease of the eye, such as glaucoma. Retinal scan devices
are one of the most accurate biometrics available
as the continuity of the retinal pattern throughout life
and the difficulty of spoofing (fooling) such a system
with a fake eye make it a potentially good long-term option
for very high-security applications.
Since the retina is located inside the eye, it is not exposed
to the threats of the external environment, as are other
biometrics like fingerprints and hands. There is no
known way to replicate a retina and a retina from a dead
Version 2 – Summer 2008

Section 3 34 Types of Biometric Technologies
person would deteriorate too quickly to be useful.
Limitations
Most of the weaknesses, or vulnerabilities, of retinal recognition
are primarily user-based issues. For example,
the user-reader interface is not convenient for eyeglass
wearers (glasses have to be removed first) nor for those
who have concerns about close contact with the reader.
For these reasons, retinal scanning experienced serious
user acceptance problems in the 1980s and 1990s
as friendlier biometrics came into mainstream use. The
leading product, although no longer commercially available,
underwent a redesign in the mid-90s to provide
enhanced connectivity and an improved user interface.
Despite such improvements, however, it remains a
marginal biometric technology from a user-acceptance
standpoint.
Of all the biometric technologies, the motivation level
of the user must be very high for the system to function
properly. Users must interact correctly and patiently for
the system to work.
Although each pattern normally remains stable over a
person’s lifetime, it can be affected by disease such as
glaucoma, diabetes, high blood pressure, and autoimmune
deficiency syndrome (AIDS), although no method
for detecting these diseases from the circular retinal scan
has been developed.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 3 35
Applications
Contrary to popular public misconceptions and reflective
of what is seen in movies and read in novels, retinal scanning
was used almost exclusively in high-end security
applications, such as controlling access to military installations,
nuclear facilities, and laboratories.
One of the best-documented public applications for using
retinal recognition was conducted in the U.S. by the
state of Illinois in an effort to reduce welfare fraud. 37 The
primary purpose was to identify welfare recipients, so
that benefits could not be claimed more than once. The
project was eventually terminated due to concerns that
it was not easily usable by clients or staff.
Skin Spectroscopy/Skin Texture/Skin
Contact
How the Technology Works
Human skin is a complex organ made up of multiple layers,
mixtures of chemicals, and distinct structures such as
hair follicles, sweat glands, and capillary beds. Although
every person has skin, each person’s skin is structurally
unique. Skin layers vary in thickness, interfaces between
skin layers have different undulations and other characteristics,
collagen fibers and elastic fibers in the skin layers
differ, and capillary bed density and location differ.
Cell size and density within the skin layers, as well as the
chemical makeup of these layers, also vary from person
to person.
37 An Application of Biometric Technology: Retinal Recognition. Series #3.
Ravi Das, HTG Solutions.
Version 2 – Summer 2008

Section 3 36 Types of Biometric Technologies
The “skin spectroscopy” technology recognizes skin differences
by their optical properties. A small patch of
skin is illuminated by a sensor via multiple wavelengths
(i.e., colors) of visible and near infrared right. The light
is reflected back after being scattered in the skin and is
then measured for each of the wavelengths. Reflectance
variability of the various light frequencies as they pass
through the skin are analyzed and processed to extract
a characteristic optical pattern that is compared to the
pattern on record or stored in the device to provide an
identification/authentication.
Because the optical signal is affected by changes to the
chemistry and other properties of human skin, it also
provides a sensitive and relatively easy way to confirm
that a sample is living tissue. Non-human tissue or synthetic
material has different optical properties than living
human skin. Likewise, excised or amputated tissue
undergoes rapid changes in biochemistry, temperature,
and distribution of fluids within the various biological
compartments that alter the light signals.
A spectral biometric system consists of three major subsystems:
the optical sensor, electronics to drive the sensor,
and the algorithm and procedures used to derive
biometric features from the raw spectral data. Other skin
recognition systems use high-resolution cameras to capture
images then the algorithms analyze the skin for features,
such as wrinkles, pores, structure, texture, etc.
Variations
Skin spectroscopy is ideally suited to layering in dual biometric
systems, helping to build ultra high-performance
Version 2 – Summer 2008

Biometric Technology Application Manual Section 3 37
systems that measure two or more independent biometric
identifiers. Because skin spectroscopy-based systems
require contact with skin, this makes fingerprint sensors
and hand/finger geometry systems particularly compatible
with this technology.
Robustness
Skin patterns, whether identified by algorithms via surface
texture analysis or spectral analysis, are a physical
trait that is thought to be distinguishable among all people,
including identical twins.
This technique may be highly resistant to “spoofing” attacks.
Amputated and synthetic tissues generate different
optical signals from living tissue, and it is significantly
more difficult to produce a facsimile of a skin sample that
would fool a variety of sensors. In addition to providing
anti-spoofing for its own system, skin spectroscopy
can be leveraged to provide anti-spoofing protection for
other “contact” biometrics, such as fingerprint and hand
geometry.
Skin spectroscopy is unrestricted by physical, biological,
cultural, or religious hurdles. It will work for individuals
with any skin color and aging should not affect results.
Limitations
Obviously, skin recognition biometric technologies will
not work if the user is wearing gloves or a mask that covers
his/her skin. A reasonable proximity to the reader is
also required, as identifications cannot be made from a
Version 2 – Summer 2008

Section 3 38 Types of Biometric Technologies
distance, although a certain level of “standoff” reading
capability has been demonstrated.
This type of system is best used for applications with
moderate environmental conditions, since requiring users
to remove gloves could slow down the access control
process to unacceptable levels.
Applications
Some vendors’ sensors can operate on nearly any portion
of the skin, making them ideal for integration into
consumer products in ways that easily and conveniently
ensure security. Initial designs show system sensors to
be small, fast, and durable. Their low cost and low power
consumption, and the algorithm’s processing efficiency
and low memory requirements, make this technology
promising for use in portable devices if it is perfected.
Smartphones, PDAs, and other mobile-based products
could provide general purpose authentication capability
for applications ranging from e-commerce to physical
security.
Speaker Verification
How the Technology Works
Speaker verification has strong behavioral and biological
components. The differences in how people’s voices
actually sound can result from a combination of biological
differences, such as the shape of the vocal tracts, and
from individual speaking habits. Speaker verification
Version 2 – Summer 2008

Biometric Technology Application Manual Section 3 39
technology uses these differences to create a voice print
template that can be used to verify the identity of a person
by comparing the unique patterns generated as a result
of these differences. Speaker verification is separate
and distinct from “voice recognition,” which is the recognition
of spoken words and typically used in automated
telephone directory services and in dictation systems.
Unlike speaker verification, voice recognition is not a biometric
technology since it does not confirm individual
identity.
Speaker verification has traditionally focused on the
sound of the voice that is generated by the resonance
in the vocal tract. The length of the vocal tract and the
shape of the mouth and nasal cavities affect the voice.
Speaker verification is defined as “the automated process
of identifying a specific individual’s voice.” Typically during
enrollment, the speaker verification system will capture
samples of a person’s voice by having him/her repeat
a set of pre-determined words, sentences, or phrases into
a microphone or telephone. As with other biometrics,
an enrollment template is generated and stored for future
comparisons. This template is often referred to as a
“voice print.”
Speaker verification systems can be of two types: textindependent
or text-dependent. Text-dependent sysstems,
during enrollment, capture samples of a person’s
voice by having him/her repeat a set of pre-determined
words, sentences, or phrases into a microphone or telephone.
This technique enhances the verification (and in
some limited use, recognition) but requires a cooperative
and patient user.
In text-independent recognition, however, the user does
not have to say a pre-determined phrase nor cooper-
Version 2 – Summer 2008

Section 3 40 Types of Biometric Technologies
ate or even be aware of the recognition system. Consequently,
text-independent recognition has been used
when trying to identify or recognize a speaker from radio
or telephone signals.
Variations
As mentioned above, in text-dependent recognition, the
user is asked to repeat a pre-determined phrase or words.
This technique enhances recognition, but requires a cooperative
and patient user. In text-independent recognition,
the user does not have to say a pre-determined
phrase nor cooperate or even be aware of the recognition
system. Consequently, the text-independent recognition
is used when trying to identify the speaker from
intercepted radio or telephone signals.
Speaker verification primarily examines the sound of the
voice and should be distinguished from speech recognition.
Speech/voice recognition recognizes the words
and phrases that are spoken rather than the voice itself.
Robustness
There are many advantages to using speaker verification.
It provides eye-and hands-free operation, is reliable, flexible,
and has a good data accuracy rate. Speaker verification
technology continues to grow and improve.
Speaker verification systems are easy to use and typically
require no special training or equipment. For text-dependent
systems, users simply repeat phrases through
a microphone. Voice-based biometric systems are relatively
inexpensive, compared to other biometrics since
Version 2 – Summer 2008

Biometric Technology Application Manual Section 3 41
they employ everyday microphones as “capture” devices.
Consumers/users are used to being identified by their
voices, so system acceptance and cooperation is typically
high.
Limitations
Different people can have similar voices and a person’s
voice can vary over time due to changes in health,
emotional state, and age. Physical conditions of the voice,
such as those due to sickness, can affect the speaker
verification process, and since changes are likely to occur
with age, waiting long periods between comparisons
could affect long-term accuracy.
In access control applications, speaker verification’s use is
limited to one-to-one verification applications. Because
of matching accuracy limitations of the technology and
the variability of the individual pass phrases used for
enrollment, speaker verification has historically been
found to be suitable for one-to-many identification. Most
speaker verification systems must be “trained”, requiring
samples of the voice of the user of the system.
Variation in telephone handsets or microphones and
the quality of the communication connection in general
can affect accuracy. Problems typically arise when
an application faces the challenge of cross-channel
enrollment, when a voice that may have been acquired
over one device - for example, in a person using a highquality
microphone - is to be detected through the use
of a lower-quality connection, such as a cell phone.
This common phenomenon can affect accuracy rates,
especially when the user has high expectations and
relatively little training. Speaker recognition models are
Version 2 – Summer 2008

Section 3 42 Types of Biometric Technologies
typically large, often on the order of 6Kb per speaker.
Applications
Text-dependent speaker verification systems have been
used in logical access control applications and where remote
identity verification is required. A major example
of this is call center automation, where transaction processing
is automated via telephone or computer. Popular
uses include financial transactions (account access,
funds transfer, bill payment, trading of financial instruments)
and credit card processing (address changes, balance
transfers, loss prevention).
Speaker verification/recognition has also made an impact
in the penal system where it is used to monitor
and control inmate phone priviledges and identity verification
of parolees, juvenile inmates, and those under
house arrest.
Although speaker verification technology has not
been as widely adopted and utilized as other biometric
technologies, there are indications that speaker
verification could be adopted on a larger scale in the
future for a number of reasons 38 .
•
•
Telephone is the primary means by which consumers
conduct financial transactions and access financial
account information.
Consumers know about the problem of identity
theft.
38 According to Biometric Media Weekly. October 6, 2004.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 3 43
•
•
Many consumers feel that PINs and passwords are
not secure enough.
Consumers have a strong level of concern when
communicating confidential information over the
telephone.
Because of these fears of identity theft and other forms of
fraud, consumers might be more willing to participate in
a speaker verification system.
Vascular Biometrics
How the Technology Works
Vascular biometric systems, also called hand vascular
pattern recognition systems, record subcutaneous infrared
(IR) absorption patterns to produce distinctive identification
templates for users. The technology could be
likened to a vascular “barcode” reader. Veins and other
subcutaneous features present large, robust, stable, and
largely hidden patterns that can be conveniently imaged
within the wrist, palm, and dorsal surfaces of the hand.
In a typical hand-based vascular biometric, the hand
is placed under an imager and an image of the back of
the hand is taken. In the image, the main dorsal blood
vessels have higher temperature compared to the surrounding
tissue, so they appear brighter in the image.
The system carefully selects the region of interest (ROI)
of the hand and extracts the vein patterns. After “noise
reduction,” the vein pattern is segmented from the background.
Since the sizes of blood vessels grow as people
grow, only the shape and distribution of the veins is taken
into consideration. The vein pattern is skeletonized and
Version 2 – Summer 2008

Section 3 44 Types of Biometric Technologies
a shock graph representation is obtained for the pattern.
A comparison of the shock graph with the ones stored in
the database is carried out and a decision is made for the
identification match/non-match.
In a typical palm-based system the palm is illuminated
with IR light. Hemoglobin in the veins absorbs the IR
light, and the resulting image provides a clearly defined
pattern, darker than the other portions of the hand. The
person’s identity is confirmed if the extracted pattern
matches with the pattern that was registered in the system
during enrollment.
Variations
Vein pattern recognition devices consider the vein patterns
in either the top of the hand or in the palm. There is
also a vein pattern recognition system that uses the vein
patterns in the finger.
In the finger-based system, the user inserts his/her finger
into the finger vein reader, which is typically a CCD
camera inside a partially enclosed device. The device
captures the finger vein pattern that is projected by near
IR from LEDs. The high absorbance rate of the near IR
wavelength of hemoglobin in the blood vessel enables
finger vein patterns to be acquired. These “raw” images
are, after being converted into certification format, sent
to the image database to compare with the registered
template, and a match/no match decision is made.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 3 45
Robustness
The human vascular structure is a distinctive feature of
each individual. IR absorption patterns are easily compared
using, like all biometrics, digital signal processing
(DSP) techniques. Identical twins have distinct IR absorption
patterns, as does everyone in the patterns of veins
on one’s own right and left hands. Veins provide large,
robust and hidden biometric features that are not easily
observed, damaged, obscured, or changed. Veins
are useable in rough environments where more delicate
biometrics such as fingerprints would be damaged.
Veins are hard to disguise or alter. The use of vascular
biometrics avoids privacy concerns and criminal stigma
of fingerprints. Vein patterns in the hand are claimed to
be stable over one’s lifetime, barring trauma or surgery
that would otherwise alter them.
Limitations
Obviously, gloved, covered, or extremely dirty hands
cannot be, or cannot easily be, identified using a hand
vein pattern recognition system. These systems are two
to three times more expensive than fingerprint systems
and are historically considered an esoteric biometric
without definitive documentation of its reliability and accuracy
available in the public domain. Drugs, exercise,
mental health and medical conditions all impact imaging
and accuracy of comparisons. Also, current vein pattern
recognition systems use cameras that are not portableor
certainly less portable-than other technologies.
Applications
While vascular biometrics has not historically been a
Version 2 – Summer 2008

Section 3 46 Types of Biometric Technologies
mainstream modality, and indeed as recently as 2003
was categorized as “esoteric”, in the early or experimental
stage (Woodward, Orlans, Higgins, Biometrics, Identity
Assurance in the Information Age), some progress has
been made recently to document its efficacy which may
move it toward greater acceptance and proliferation.
The potential for high accuracy in vascular biometrics
has always been present and on occasion demonstrated
in practical applications such as Retinal Scanning. Although
Retinal Scanning continues to be categorized
as an “eye-biometric”, the technology is in fact, based on
matching live vascular patterns in the retina with previously
enrolled patterns in a database.
Early uses of vascular biometrics were in low to medium
security applications, such as time and attendance
(to prevent “buddy punching”), allowance and payment
control, login and information protection, and safe deposit
box access. These have been supplemented more
recently by higher security applications including a nuclear
power facility, a high-risk biohazard lab, universities,
and casinos. The largest seaport facility in Canada
is currently using vascular biometics for credentialing
employees and controlling access. In this application, to
allay privacy concerns, the biometric data is on a smart
card in the possession of the individual rather in a centralized
Port Authority database. According to Hitachi,
about 85% of Japan’s ATMs are using vascular biometrics
to prevent loss 39 .
39 Security Management, January, 2008, Technofile, “Vein Rec-
ognition Use Grows”, John Wagely.
Version 2 – Summer 2008

COMPARISON OF BIOMETRIC TECHNOLOGIES – MATRIX I
Type Measures Robustness Limitations Template Size Applications
500 – 1000 bytes • Well suited for
applications where
signatures are accepted
identifiers
Signature size is limited
Users are unaccustomed to
signing tablets
Has limited applications
Signatures change over time
Enrollment and verification
conditions must be in same
type of environment
Low accuracy
•
•
Virtually no privacy rights issues
High user acceptance since it
is similar to existing pen-based
signature method
Resistant to imposters
Leverages existing processes
Perceived as non-invasive
Users can change signatures
•
•
How a user
signs his/her
name
Dynamic
Signature
Analysis
•
•
•
•
•
•
•
•
84 bytes – 3.5K • Use in some passport
and visa application
systems
• Use in some access
control systems
The PIEC problem degrades
performance
Easily circumvented by
disguise & cosmetics
Cannot distinguish between
identical twins
Niche market for network
authentication
•
Can leverage existing databases,
including static driver’s license
photos
Can capture images from a distance
Affordable hardware
Perceived as less intrusive than other
technologies
Moderate accuracy
•
Facial
features/
patterns
Facial
Imaging
•
•
•
•
•
•
•

COMPARISON OF BIOMETRIC TECHNOLOGIES – MATRIX I
Type Measures Robustness Limitations Template Size Applications
256 bytes – 2Kb • In-house systems where
users can be trained
appropriately, in a
controlled environment
•
Workstation access
Has “common criminal” stigma
Skin dryness, dirt, cuts, and
user’s age can cause ID errors
Liveness detection can be a
problem
Fingerprint impression often
left on the sensor
Certain occupations or
activities can temporarily or
permanently cause loss of
fingerprint definition which
impairs operation
•
•
Unique even among twins
Stable throughout one’s lifetime
(subject to the caveats in the
Limitations column)
High to moderate accuracy
Mature and proven core technology
Technology is relatively inexpensive
Can be deployed in a range of
environments
Employs ergonomic, easy-to-use
devices
•
•
Fingerprint
patterns
Fingerprints
•
•
•
•
•
•
•
•

COMPARISON OF BIOMETRIC TECHNOLOGIES – MATRIX I
Type Measures Robustness Limitations Template Size Applications
9 bytes • Time and attendance
recording
•
Access control
Hand injury and user’s age
can effect errors
Limitations in hand dexterity
can lead to errors or non-use
Limited accuracy because of
the “simple” features
Features can change over
life-span
Hand geometry hardware has
large footprint, and cannot be
used in embedded systems
Currently only operates in the
verification mode
Some users may be
uncomfortable touching a
device that many people have
previously touched
•
Moderate accuracy
Offers good balance of performance
characteristics
Relatively easy to use
Perceived by most as non-intrusive
and non-threatening
•
•
Hand shape/
size
Hand
Geometry
•
•
•
•
•
•
•
•

COMPARISON OF BIOMETRIC TECHNOLOGIES – MATRIX I
Type Measures Robustness Limitations Template Size Applications
Iris
Iris patterns • High accuracy
• Some users won’t accept eye- 256 – 512 bytes • High security
Recognition
• Uses conventional camera-based based technology
applications
reader
• High cost capture devices
• Suitable for very large
• Works well through eyeglasses and • Has not been shown to
databases
contacts, even colored ones
be suitable for covert
• 1 to N searches without
• One of the few biometrics that
surveillance
PIN or P/W
works well in “identification” (one to • Erroneously confused with
• Watch lists,
many) mode
iridology
• Benefits entitlements,
• Capable of handling very large
• Duplicate driver’s
databases
license detection
• Distinguishes Monozygotic
(identical) twins
• High speed, 1 million comparisons
persecond
• Highly distinctive biometric feature
Keystroke Typing • Adjustable matching threshold • Not unique to each individual 84 – 2K bytes • Computer and/or
Analysis pattern • No adjustable or specialized • Large variations in a person’s
workstation security
hardware required
typing patterns
• Combines password generation and • Some people do not know
enrollment into one simple function how to type
• Low accuracy
• Predominantly a behavioral
biometric

COMPARISON OF BIOMETRIC TECHNOLOGIES – MATRIX I
Type Measures Robustness Limitations Template Size Applications
Data not available
Low user acceptance because
of criminal stigma
Touching what others may
have
Platen must be clean
Bulky sensor hardware
•
Features unique and stable through
life
Potentially more features than
fingerprints
Features more numerous and
unique than Hand Geometry
•
Palmprints Palmprint
patterns
•
•
•
•
•
96 bytes • High security
applications, i.e., military
Difficult to use (proximity,
focus, no glasses)
Users not comfortable with
technology
Affected by glaucoma,
diabetes, hypertension,
pregnanancy, and AIDS
Limited commercial
availability
Not suitable for covert
applications
•
High accuracy
Very unique biometric feature,
stability over lifetime, difficulty
of spoofing, and protection from
environment
•
•
•
Retinal Scan Retina
blood vessel
patterns
•
•
•

COMPARISON OF BIOMETRIC TECHNOLOGIES – MATRIX I
Type Measures Robustness Limitations Template Size Applications
Identity verification
to physical areas,
computer networks,
ATMs, and consumer
products
Passenger/traveler
identification
Military installation
access
Handgun safety
Keyless auto/truck
entry; keyless ignition
•
Immature, untested
technology
Requires more development
and testing
•
Data not available
•
Works on nearly any skin site
Convenient to use
Small footprint and low power
requirements; good for use in small
electronic devices
Anti-spoofing protection
•
•
•
Skin
physiology
or structure
Skin
Contact
•
•
•
•
•

COMPARISON OF BIOMETRIC TECHNOLOGIES – MATRIX I
Type Measures Robustness Limitations Template Size Applications
Niche, low to medium
security
Inmate identification
in correctional facility
telephone control
applications
House arrest
applications
911 applications
•
Biometric component not
distinctive and vary with head
cold, sore throat, weather,
emotional state and age
Ambient noise interferes with
process
Quality variations in
telephones, microphones &
connections affect accuracy
Cross-channel enrollment &
verification affect accuracy
Not suitable for 1:N
identification
Potentially more susceptible
to replay attacks than other
biometrics
System requires extensive
“training” with each
enrollment
Large templates reduce
enrollment capacity
•
•
Eye & hands free operation
Leverages telephone infrastructure
Flexibility makes it suitable for many
applications
Requires no special user training or
equipment
Layers with verbal passwords & PINs
•
•
•
Speaker
Verification
6Kb-80Kb
•
•
•
•
•
•
•
•
•
•
•

COMPARISON OF BIOMETRIC TECHNOLOGIES – MATRIX I
Type Measures Robustness Limitations Template Size Applications
Data not available • Niche, low to medium
security
• Inmate identification
in correctional facility
telephone control
applications
• House arrest
applications
• 911 applications
More expensive than
fingerprint
Accuracy affected by drugs,
exercise and health
Limited documentation on
reliability and accuracy
Testing so far limited to 1:1
applications
Users must remove gloves
•
Vascular structure is distinctive
feature
Veins are large, robust, stable and
hidden
Vein patterns easily compared at
high speed
Veins not easily observed, damaged,
obscured or changed
•
Vein
patterns in
palm, top of
hand, and
finger (s)
Vascular
Biometrics
•
•
•
•
•
•
•
Data not available • Healthcare applications
involving organ donors
or transplants
Other--DNA DNA • Cannot distinguish between
identical twins
• Highly intrusive; requires
physical sample
• Takes days for “comparison”
results
• Easy to steal someone else’s
DNA (hair strand)

COMPARISON OF BIOMETRIC TECHNOLOGIES – MATRIX I
Type Measures Robustness Limitations Template Size Applications
Data not available • No known applications
Low accuracy
Difficult human interface
No operational systems
•
•
•
Shape and
contours of
the outer
ear
Other
Shape--Ear
Data not available • Accuracy has not been
established
• If established, could
be useable for covert
surveillance & detection
Other--Gait • Low accuracy
Ineffective with crutched or
wheelchair bound people
Subject to behavioral
manipulation
•
•

COMPARISON OF BIOMETRIC TECHNOLOGIES 40 – MATRIX II
Applicable Published Standards Limitations
Long-term
Stability
Public
Acceptance
Type Universality Accuracy Ease of
Use
Illiteracy
Variability of
signature
Common neuromuscular
diseases
Low Low High Very High Medium INCITS 395-2005
INCITS 358-2002 BioAPI
INCITS 398-2005 CBEFF
ISO/IEC 7816-11:2004 W/IC cards
NIST SP 800-73 W/FIPS 201 Smart Cards
NISTIR 6529-A CBEFF
Dynamic
Signature
Analysis
Lighting, aging,
glasses, facial hair
disguise, makeup
Low Low Medium Medium Medium INCITS 385-2004
INCITS 358-2002 Bio API
INCITS 398-2005 CBEFF
ISO/IEC 7816-11:2004 W/IC cards
NIST SP 800-73 W/FIPS 201 Smart Cards
NISTIR 6529-A CBEFF
Facial
Imaging
40 Biometric Identification. Simo Huopio. Helsinki University of Technology. November 1998; NBSP expert opinion and NBSP standards data-
base. 2005.

COMPARISON OF BIOMETRIC TECHNOLOGIES40 – MATRIX II
Type Universality Accuracy Ease of Public Long-term Applicable Published Standards Limitations
Use Acceptance Stability
Dry, dirty, damaged
finger images
High High High High High ANSI/NIST ITL 1-2000
CJIS /FBI IAFIS-IC-0110
CJIS-RS-0010 (v) 7
INCITS 377-2004
INCITS 378-2004
INCITS 381-2004
ILO SID-002
INCITS 358-2002 Bio API
INCITS 398-2005 CBEFF
ISO/IEC 7816-11:2004 W/IC cards
NIST SP 800-73 W/FIPS 201 Smart
Cards
NISTIR 6529-A CBEFF
Fingerprints

COMPARISON OF BIOMETRIC TECHNOLOGIES40 – MATRIX II
Type Universality Accuracy Ease of Public Long-term Applicable Published Standards Limitations
Use Acceptance Stability
Hand
Diseases such as
Geometry
arthritis, rheumatism,
Dupytrens
Contracture
Medium Medium High High Medium INCITS 396-2005
INCITS 358-2002 Bio API
INCITS 398-2005 CBEFF
ISO/IEC 7816-11:2004 W/IC cards
NIST SP 800-73 W/FIPS 201 Smart
Cards
NISTIR 6529-A CBEFF
Rare disease such as
Iritis
Reflections
High Very High High Medium High INCITS 379-2004
INCITS 358-2002 Bio API
INCITS 398-2005 CBEFF
ISO/IEC 7816-11:2004 W/IC cards
NIST SP 800-73 W/FIPS 201 Smart
Cards
NISTIR 6529-A CBEFF
Iris
Recognition
Inability to type
Low Low High Unknown Unknown INCITS 358-2002 Bio API
INCITS 398-2005 CBEFF
ISO/IEC 7816-11:2004 W/IC cards
NIST SP 800-73 W/FIPS 201 Smart
Cards
NISTIR 6529-A CBEFF
Keystroke
Analysis

COMPARISON OF BIOMETRIC TECHNOLOGIES40 – MATRIX II
Type Universality Accuracy Ease of Public Long-term Applicable Published Standards Limitations
Use Acceptance Stability
High Unknown Unknown INCITS 358-2002 Bio API
Diseases such as
INCITS 398-2005 CBEFF
arthritis, rheumatism,
ISO/IEC 7816-11:2004 W/IC cards Dupytrens
NIST SP 800-73 W/FIPS 201 Smart Cards Contracture
NISTIR 6529-A CBEFF
Palmprints Medium/High Medium/
High
Diseases of the eye
such as retinitis
Glasses
Diabetes
Pregnancy
Hypertension
Retinal Scan Very High High Low Low High INCITS 358-2002 Bio API
INCITS 398-2005 CBEFF
ISO/IEC 7816-11:2004 W/IC cards
NIST SP 800-73 W/FIPS 201 Smart Cards
NISTIR 6529-A CBEFF
Unknown
High Unknown Unknown Unknown Unknown INCITS 358-2002 Bio API
INCITS 398-2005 CBEFF
ISO/IEC 7816-11:2004 W/IC cards
NIST SP 800-73 W/FIPS 201 Smart Cards
NISTIR 6529-A CBEFF
Skin
Contact
Background noise;
colds and other
factors
Low Low High High Medium SVAPI
INCITS 358-2002 Bio API
INCITS 398-2005 CBEFF
ISO/IEC 7816-11:2004 W/IC cards
NIST SP 800-73 W/FIPS 201 Smart
Cards
NISTIR 6529-A CBEFF
Speaker
Verification

COMPARISON OF BIOMETRIC TECHNOLOGIES40 – MATRIX II
Type Universality Accuracy Ease of Public Long-term Applicable Published Standards Limitations
Use Acceptance Stability
Vascular Medium/High Medium Medium/ High High INCITS 69-2002 BioAPI
Affected by drugs,
Biometrics
High
INCITS 398-2005 CBEFF
health
ISO/IEC 7816-11:2004 W/IC cards Limited
NIST SP 800-73 W/FIPS 201 Smart documentation
Cards
on reliability and
NISTIR 6529-A CBEFF
accuracy
ISO 19794-9 Vascular Image
Testing limited to 1:1
applications
Users must remove
glasses
Need for real time
matching
High High Low High Very high INCITS 358-2002 Bio API
INCITS 398-2005 CBEFF
ISO/IEC 7816-11:2004 W/IC cards
NIST SP 800-73 W/FIPS 201 Smart Cards
NISTIR 6529-A CBEFF
Other
– DNA
Unknown
High Unknown Medium Unknown Unknown INCITS 358-2002 Bio API
INCITS 398-2005 CBEFF
ISO/IEC 7816-11:2004 W/IC cards
NIST SP 800-73 W/FIPS 201 Smart Cards
NISTIR 6529-A CBEFF
Other – Ear
Shape

COMPARISON OF BIOMETRIC TECHNOLOGIES39 – MATRIX II
Type Universality Accuracy Ease of Public Long-term Applicable Published Standards Limitations
Use Acceptance Stability
Other--Gait Medium Unknown High Unknown Low IINCITS 358-2002 BioAPI
Unknown
INCITS 398-2005 CBEFF ISO/IEC
7816-11:2004 W/IC cards
NIST SP 800-73 W/FIPS 201 Smart
Cards
NISTIR 6529-A CBEFF

Section 3 62 Types of Biometric Technologies
Other Biometric Technologies
Body Odor
Most living things emit an odor that is characteristic of its
chemical composition. In most cases, this odor might be
usable for distinguishing between them.
In a body odor biometric system, sensors capture body
odor from non-intrusive parts of the body, such as the
back of the hand. Each unique human smell consists of
different amounts of volatiles or aromatic compounds.
Body odor is largely produced by bacteria on the skin
and pheromones, the chemical that is produced to signal
to others of the same species. These volatiles are
extracted by the system and converted into a biometric
template. Body odor can be digitally recorded for identification.
These odors are present even though they may
not be detectable by the untrained nose and cannot be
entirely obscured by deodorant or washing.
Most body odor-based systems depend on having users
holding the palm of their hand against a sensor that can
recognize unique scents that have been broken down
into a complex algorithm. Once a person’s body odor
has been registered, it can be entered on a card, such as
a credit card or identity card, or on a document, such as
a passport, just like any other biometric feature. The U.S.
Government (DARPA) is currently 41 funding a multi-year
classified study on this technology.
41 As of this writing.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 3 63
Body Salinity (Salt)
This developmental system works by exploiting the natural
level of salinity, or salt, in the human body. This is
accomplished by using an electric field and salt’s natural
conductivity to measure a tiny electrical current that
is passed through the body. The electrical current that
is used is approximately one-billionth of an amp (nanoamp),
which is less than the natural currents already present
in the body. Speeds equivalent to a 2400-baud modem
have been claimed, yielding a data transfer rate of
up to 400,000 bits per second.
Applications for this kind of biometric technology could
include the interaction (data transfer) between communication
devices carried on the body, such as watches,
mobile phones, and pagers. Also, applications could include
“waking up” household appliances/devices as one
enters a room.
DNA
Deoxyribonucleic Acid (DNA) is the one-dimensional ultimate
unique code for a person’s identity with the exception
of identical sibling sets (twins/triplets), which have
identical DNA patterns. DNA is currently used mostly in
forensics applications for identifying people.
DNA is not readily considered to be a biometric identifier,
although the process certainly positively identifies people
based on a biological characteristic. Although DNA is
an accurate identifier, it differs from what are considered
“standard” biometric features in several ways, including:
Version 2 – Summer 2008

Section 3 64 Types of Biometric Technologies
•
•
•
DNA requires a physical sample (e.g. a strand of hair)
instead of an impression, image, or recording of the
biometric feature.
DNA testing cannot, currently, be done in practical
real-time.
DNA requires the user to provide another cell sample
every time he/she wishes to be identified.
In addition to the differences above, there are three key
issues 42 that limit the day-to-day utility of using DNA as a
biometric for “general” (non-forensic) applications.
1.
2.
3.
Contamination and sensitivity: It is easy to steal a
piece of DNA (hair strand, dead skin flake) from an
unsuspecting subject that can subsequently be used
for false purpose.
Automatic, real-time recognition issues: As mentioned
above, the present technology for DNA comparison
requires complicated and exacting chemical
methods that require specific expertise; DNA testing
and reading is not designed for automated, non-invasive
recognition.
Privacy issues: Information about a person’s proclivity
to certain diseases, or whether a person currently
suffers from a disease or condition, could be ascertained
from the DNA data, resulting in concern that
abuse, whether intended or accidental, of genetic
42 An Introduction to Biometric Recognition. Jain, Ross, and
Prabhakar. IEEE Transactions on Circuits and Systems for Video
Technology. January 2004 IEEE. Used with permission..
Version 2 – Summer 2008

Biometric Technology Application Manual Section 3 65
code information could become public and/or result in
discrimination.
Ear Shape
Some biometricians believe the shape of the ear and
the structure of the cartilaginous tissue of the pinna
area (outer area of the ear) to be distinctive, and that the
structure of the ear does not change significantly over
time. Medical literature reports that ear growth after the
first four months of age is highly linear or proportional.
Ear shape biometrics research is currently based on law
enforcement needs to collect ear markings and shape information
from crime scenes. The technology has some
potential in limited access control applications, in similar
use as hand geometry. Currently there are limited research
activities underway with ear shape biometrics.
Identification by ear shape is passive, like facial recognition,
but instead of using the difficult-to-extract face geometry,
ear shape biometrics use the ear features more
like fingerprinting. The external structure of the ear contains
the following regions of interest that can be used
for biometric measurement: Helix rim, lobule, antihelix,
concha, tragus, antitragus, crus of helix, triangular fossa,
and incisure intertragica.
Ear recognition technology is based on comparing the
distance of salient points on the pinna from a “landmark”
location on the ear. A machine vision-based method of
ear identification has been developed that localizes and
segments a subject’s ear via a grayscale CCD camera-acquired
image using contours. Once segmented, the features
are computed and the difference between the
Version 2 – Summer 2008

Section 3 66 Types of Biometric Technologies
enrollment biometric template is computed and compared
with the live (presented) biometric and a match or
no-match decision is made.
One of the primary arguments against ear shape
biometrics is that ears are often hidden or covered by
hair or hats, rendering them unusable. In selected populations,
however, such as the military where hair is kept
short and above the ears, this technique could be applicable
and useful when supplementing other automated
methods.
Figure 3-6 Rendering of the structure of the external ear. 43
Facial Thermography
Facial thermography refers to the pattern of heat in the
face caused by the flow of blood under the skin. IR cameras
capture this heat to produce a thermal pettern. Because
the vein patterns in a person’s face are distinctive,
the IR thermal pattern they produce is also distinctive to
each person. The process is based on the principle that,
while the underlying vein and tissue structure is stable,
43 Reprinted from Gray’s Anatomy, 39th Edition 2005 Elsevier
Ltd, with permission from Elsevier.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 3 67
the dynamic nature of blood flow causes fluctuations and
the appearance/disappearance of secondary patterns.
Environmental conditions such as ambient temperature
and the introduction of alcohol or drugs, for example,
can alter the thermal signature of the face.
This technology is better suited to determine “liveness” of
the subject - no thermal image indicates no life - than for
actual identification of the individual. Facial thermography,
used in conjunction with other biometric technologies,
could indicate a rested or fatigued person or determine
physical condition, such as indications of alcohol
use, although this has never been demonstrated in any
commercially available technology.
One major technical advantage of this technology, however,
is that it does not use infra-red cameras to illuminate
the face, but rather relies on the infrared emmissions
generated by the face itself. This capability is extremely
useful in surveillance applications, especially when it is
necessary to identify people in dark places or at night.
Finger Geometry
Finger geometry biometrics is very closely related to hand
geometry and has achieved limited success as a competitor
to hand geometry in access control and time and attendance
applications. This technology can be used, for
example, in ATMs, border checkpoints, mobile payment
vehicles for distribution of public benefit funds, air passenger
identification and other general access control
applications.
Spatial geometry of the finger(s) is examined as the user
puts his/her hand on the sensor’s surface. Two varia-
Version 2 – Summer 2008

Section 3 68 Types of Biometric Technologies
tions of capture processes are used, one of which is similar
to hand geometry but uses a smaller footprint. The
second technique marketed in the early 1990s requires
the user to insert a finger into a “tunnel” so that the circumference
of the finger at several locations could be
measured.
Gait
Gait biometrics is a complex spatio-temporal biometric
that uses an individual’s walking style or gait to determine
identity. Gait is not necessarily distinctive, but
sufficiently discriminatory to allow verification in some
low-security applications or used in conjunction with
other identification mechanisms. It is particularly useful
in identifying someone from a distance or when only
low image resolution footage is available, as with CCTV
cameras, and with or without their cooperation. It can
spot people who are moving around in suspicious ways,
which may include repetitive walking patterns or movements
that do not appear natural given their physicality.
Since gait measurement is a behavioral biometric that
depends upon walking surface and type of shoe worn,
it may not remain stable over a long period of time due
to those factors as well as fluctuations in body weight,
injuries, or intoxications. Wearing a trench coat can mask
the feet and using flip-flops can also throw off measurements.
Though still in its infancy, the technology is no
longer under active investigation, having lost most of its
funding sources in 2004. Presently (at time of this publication),
gait recognition is much less diagnostic than
other methods, but it can act as a screening tool in conjunction
with other biometric methods.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 3 69
Gait recognition imaging and analysis is achieved by
computer vision or with the help of a radar system. The
former uses video cameras to analyze the movements
of each body part - the knee, foot, shoulder, and so on.
The latter uses radar to bombard the subject with invisible
radio waves. Each person’s walking speed and style
will make the waves bounce back differently. The result
is a type of composite signature that characterizes the
overall unique signature of the walk. Computer analysis
can be used to parse digital video images and study both
static body and stride parameters.
The ultimate goal of gait biometrics is to detect and recognize
people at extended distances under day or night
and all-weather conditions.
Rhythm/Tapping Sequence
In the early days of telegraphy, operators could identify
each other by recognizing the way in which they tapped
out messages. This simple idea has been used as a type
of biometric, using newly developed polymer thick-film
pressure sensors that can detect the unique cadence of a
tapped rhythm and verify identity.
This method exploits the differences with which individuals
tap out a rhythm, capturing the pattern of taps
on a single sensor rather than the pattern of keystrokes
on a keyboard ( such as keystroke dynamics). A tapping
sequence can have both waveform and rhythm features.
Waveforms are studied for unique charachterisics, such as
height and duration. Like sound waves, pressure points
provide measurable wavelenths. Recognition by rhythm
is so simple it may be possible to implement on devices
such as smartcards and PDAs by screen-printing a
Version 2 – Summer 2008

Section 3 70 Types of Biometric Technologies
sensor onto a thin layer of Mylar that is bonded onto the
device.
Keypad pressure sensors may run up against many of
the same obstacles as the early keystroke-pattern recognition
systems. A user must apply the sensors with a
substantial amount of initial input in order to train the
sensors to recognize the individual’s unique waveform
signature. Biological responses like fatigue can change
the pattern of the user’s input in the course of such a test.
Factors such as posture or position relative to the sensor
pad can also affect the user’s pressure “signature.”
Skull Resonance
Skull resonance is a developing form of biometric identification
by which sound waves are passed through the
head of a subject to produce a unique sonar profile.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 4 1
Section 4: The Biometric System Design
Process
Designing a practical and functional biometric system or
more properly a “subsystem” since few biometric applications
stand alone is a combination of art and science with
a heavy dose of common sense. Whether or not an experienced
practitioner or systems integrator is engaged to
assist in this process it will be helpful for the user/buyer
to understand the key elements of the design process,
and some of the more important considerations that
should be included in that process.
This section deals with the key elements of the design
process for insight and as a guide to any procurement action
for a biometric system, even if the action includes
the complete design process. The key elements or phases
are:
A. The System Concept,
B. The Requirements Definition, and
C. The Systems Specification.
The latter part of the section provides real world examples
of biometric access control systems, including physical
A/C, logical (virtual) A/C, and a combined domain system.
The system or application concept defines the context
and objectives for the biometric system or product suite
that will be procured. It need not be a lengthy document,
but it must be sufficient in description and detail to clearly
communicate the ultimate performance that you will
Version 2 – Summer 2008

Section 4 2 The Biometric System Design Process
expect of the system.
The requirements definition should be articulated in sufficient
detail and clarity to fully address the performance
characteristics expected of the system, short of detailed
product or system specifications. It should be complete
enough to allow the evaluation of proposed solutions
and alternative approaches that can still meet the system
concept goals.
The system specification is the detailed technical order
for the operating system and is the equivalent to the
architectural blueprints and technical narrative for construction
of a building. While the details of developing
the system specification exceed the scope of this manual,
and are usually prepared by professionals, a description
of basic content is described below.
A. System Concept Development
The first step in concept development is to decide what
the operational system should do. In other words, what
role does an identity assurance function play in the overall
operation, as well as the specific application that you
may have in mind for the biometric component. All who
are involved will need to know first how the new system
will be employed in both a broad sense and also in sufficient
detail to support a specific procurement action.
Application Concepts
Basic to developing a system concept is understanding
how the system will be applied. To summarize Section 9
of BTAM Volume 2, there are many different ways to cat-
Version 2 – Summer 2008

Biometric Technology Application Manual Section 4 3
egorize applications--not one of which is absolutely correct
or universally accepted in the biometric community.
One’s choice of categorization, or taxonomy, depends on
one’s objectives; however, one that is useful both for clarity
of thinking and for understanding of the issues. These
are functional categorizations:
1. Access Control either physical or logical (virtual). The
most common application in use today where one’s
identity is established or verified before allowing access
to a space or a network/domain.
a. Physical access control - meaning the authenti-
cation of authorized individuals in order to validate
physical access to an area, facility, building,
room, space, or other protected asset location.
b. Logical or information access control - also re-
ferred to as computer or cyber security; means
authentication of an authorized individual in
order to validate access to a network, program,
data, or other electronic or computer based asset.
2. Identification such as for watchlists, prisoners, driver’s
license applicants, etc.
3. Benefits eligibility, such as food stamps, welfare, ration
cards, etc.
4. Commercial transactions such as credit card users,
bank customers, etc.
By understanding the type of application most suitable
for your particular circumstances, one can more clearly
Version 2 – Summer 2008

Section 4 4 The Biometric System Design Process
articulate objectives that the system must ultimately
meet. Although access control is historically the most
common and is frequently used as example, there are
other applications whose fundamental purpose differs
from access control and this should be kept firlmy in mind
as the system concept is developed. (See discussion in
paragraph D Biometric Access Control.) Additionally,
recognize that complex identity assurance systems
may involve more than one category of application and
objectives.
Objectives
Objectives derive naturally from the type of application
envisioned, such as:
1. Access Control - verify that a user’s identity matches
that of a specific person who is authoized access to a
space or network/domain. (Note that a biometric system
does not verify that a person has a right and need to
have access. That determination is made administratively
before allowing a user to enroll in a biometric system.)
2. Identification includes the following: Identify an individual
who is in a database of personae non gratis (a
watchlist of undesirables). Determine if a person has
ever been booked or imprisoned, and if so, who the individual
is. Determine if an individual has ever been issued
a driver’s license before, and if so, is it under the same
identity they are currently claiming.
3. Benefits eligibility - determine if an individual has ever
made a claim for food stamps, welfare, ration cards, etc.,
and if so, is it under the same identity they are currently
claiming.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 4 5
4. Commercial transactions - determine if a customer’s
identity matches identity information stored on a credit
card. Determine if an individual seeking access to a safe
deposit box is in fact the owner of that box. Determine
if an individual cashing a check has a legitimate account
with sufficient funds to complete the transaction.
Operational Considerations and
Constraints
When the applications and objectives have been determined,
the concept should next address the operating
environment in which the biometric system will be expected
to function. The individual or team responsible
for concept development must be realistic and practical
in establishing the expectations for both operational
integration and the routine performance of the system
when placed under human control. Significant operational
considerations include, but are not limited to, the
following:
1. The Threat: What is the rational prospect of a threat
against the operating system from a hostile, economic,
or asset loss perspective involving a failure in identity assurance?
What is the nature and presumed capability of
that threat? Is it covert or overt? What has been the experience
in the past? What is the justification for increased
measures or countermeasures against that real or now
perceived threat? Understand the difference between
the casual and focused threat.
2. The Vulnerability: What problems or weaknesses in
the identity assurance or security program exist in the organization
today? How have those been exploited in the
Version 2 – Summer 2008

Section 4 6 The Biometric System Design Process
past and to what extent? Where are the critical points in
routine or non-routine operations? Where would an attack
on the program create the most disruption and least
possibility for quick recovery?
3. The Geography: Consider the macro-environment,
meaning the scope of the space or spaces to be protected.
For example, if this is a physical domain: (1) One room
or many? How many?; (2) One building or many? How
many?; (3) One campus or several? How many?; (4) An
integrated global enterprise? A global enterprise with
no integration?
4. The Environment: Will the system operate indoors
only? If an outdoor requirement exists, will a kiosk or other
outdoor or climate control facility to host the biometric
component be acceptable and feasible? What unusual
conditions exist in the planned location that may affect
biometric technology performance (light, heat, cold,
noise, electronic interference, etc.)?
5. The User Population: What is the scope and nature of
the demographics (characteristics) of the planned user
group (age spread, handicaps, etc)? Are there any occupational
issues that affect biometric performance? (See
Section 3 of this manual on product/technology limitations.)
6. The Interface: What other systems or subsystems is
the biometric system expected to work with? Is the interface
simple compatibility or a more complex integration
and interoperability? For example, will physical access
granted at each site be reported in near-real time to HQ?
Will correct physical entry be linked to computer logon
in such a way that both must occur?
Version 2 – Summer 2008

Biometric Technology Application Manual Section 4 7
7. The Privacy and Social/Cultural Environment: What
are the concerns that may be faced when considering the
nature of the user base? (See Section 7.) What increase in
the level on inconvenience will your management and
employee base tolerate for an improved identity assurance
and security program? This includes such issues as
orientation/training and enrollment, slower throughput
or increased transaction times at entry portals, repeat authentications
for any reason etc.
A summary of the results of the concept development
exercise described above will lead directly to a more formal
definition of requirements.
B. The Requirements Definition
In brief, the Requirements Definition phase describes the
new biometric system in precise and comprehensive detail
(short of a formal system design specification), both
for the system itself and the anticipated operating environment
after installation. This description includes a
performance specification that addresses all operating
needs and application capabilities and provides an exact
count of the number of biometric devices to be provided,
the number of devices for use outdoors, the number to
be used indoors, and the number of enrollment points
desired. For each outdoor location, the description must
also provide historical weather conditions in terms of
temperature range, humidity range, precipitation types
and amounts. For all locations, the description must include
the physical location of power supplies relative to
the biometric device mounting point and the power rating
in volts and hertz.
Components of the requirements definition could
Version 2 – Summer 2008

Section 4 8 The Biometric System Design Process
include:
1. Application, Function, and Objectives desired.
2. Operating Environment and Limitations.
3. Performance Specifications.
While most of the components of the requirements
definition are derived from the Concept Development
Phase, the performance specification has significantly
more detail about special criteria that the use may feel
is necessary, even before a designer/integrator is employed.
These could include some or all of the following
considerations:
a. Technology Limitations:
If possible, a systems
designer or integrator may be relied on to select
the best technology or combination of technologies
suitable for the application and purpose.
However, if the user (buyer) is convinced that
a technology will not be suitable for his needs,
he should mention that exclusion in the performance
specification or specify those that are acceptable.
Operating Speed
b. : Generally in biometrics this
is expressed as the throughput rate and is described
as the number of end users that a biometric
system can process within a stated time
interval (such as hour or minute). When possible,
the new throughput rate should be equal to
or less than what the current system permits, unless
there is an institutional commitment to less
speed for more accuracy (or security).
Version 2 – Summer 2008

Biometric Technology Application Manual Section 4 9
c. Accuracy:
Generally expressed as the False
Match Rate. The tolerance for a False Acceptance
(Type 2 error) will be much lower than the tolerance
for a False Rejection (Type 1 error) since little
or no harm is done in rejecting an authorized
person. On the other hand, tightening the controls
so that the number of False Acceptances is
minimized will dramatically increase the number
of False Rejections, a consequence that employees
and officers of many companies will come to
resent. It may also adversely affect the system
throughput rate by forcing individuals to repeat
entry requests.
d. Minimal Failure to Enroll Rate:
As an observation,
virtually all biometric technologies suffer,
by varying degrees, from an inability to enroll a
certain percentage of people for one reason or
another. There should be a dialog between the
system user/buyer and potential vendors to ensure
that proposed biometric systems are consistent
with the ethnic or socio-cultural nature of
the pool of users to minimize the likelihood of a
significant failure to enroll users. For example, an
auto repair shop is likely to have many mechanics
with rough and oily hands and should avoid
using biometric devices sensitive to fine features
of the hand or fingers.
e. User Population:
The specification should provide
a headcount of users as well as a breakdown
of users by type, such as:
–
–
Full-time employees without access restrictions.
Full-time employees with limited access entitle-
Version 2 – Summer 2008

Section 4 10 The Biometric System Design Process
–
–
–
–
–
ments.
Part-time employees with and without restrictions.
Number of vendors, sub-contractors, consultants,
etc., who may require varying degrees of full or
limited access.
Anticipated total number of visitors per year.
Number of visitors expected to return periodically
to site.
Number of visitors requiring unescorted access
to specified areas.
Biometric systems vary in their ability to process
large numbers of users. They also vary in the level of
effort required to enroll and delete users from their
databases. The license fee cost of some systems varies
as a function of the number of enrolled users.
Providing vendors with the headcount estimates will
help the vendor determine whether their products
will accommodate the expected volume.
f. Networking Issues: The user/buyer should provide
a comprehensive description and outline of the
available network to be used to support the biometric
system. Typically, security system data and control
signals should have secure, dedicated circuits
not subject to the volume of unrelated data flow
through the network. This prevents inadvertent diversion
of security-related information to unauthorized
persons, and to prevent a stoppage or degradation
of service due to traffic volume.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 4 11
g. Quantities: The performance specification can
include anticipated quantities of controlled access
points, or even specify products and equipment if
the technology has already been selected.
h. Privacy and Personal Information Issues: The user/
buyer should examine the nature of personal information
likely to be in its information systems and the
types of personal information that must be withheld
from disclosure through any unauthorized channel.
The vendors will need to know what types of information
will be prohibited from transmission through
any part of the biometric system.
i. Contact vs. Non-contact System Preferences: Some
biometric systems (such as fingerprint and hand geometry)
require physical contact between the user
and the biometric device. Other biometric systems
(such as iris recognition, voice recognition, facial recognition,
etc.) do not. The desired system description
must make it clear if there are any constraints prohibiting
or requiring physical contact between the user
and the biometric device.
4. Interface and Interoperability Requirements
5. Documentation Requirements
a.
b.
c.
d.
System operating diagram
Operating manual(s)
Schematics
Maintenance plan.
Version 2 – Summer 2008

Section 4 12 The Biometric System Design Process
6. Training Requirements
7. Schedule and Required Operational Capability Date
(if any)
C. The System Specification
The System Specification generally comprises three key
components:
1. The customer background information likely to have
a bearing on products and/or system proposed and the
general system description contained in the System Concept
described above. Often called an “Operating Environment
Description”, these are the descriptions of the
various sites and locations into which the new system
will be inserted and operated. It consists of the following:
a. Location description(s)
b. Interior environment(s)
c. Sound & lighting details
d. Exterior description
e. Weather conditions expected
f. Environmental limits expected (if relevant and
appreciable)
1. Temperature ranges
2. Humidity
Version 2 – Summer 2008

Biometric Technology Application Manual Section 4 13
Version 2 – Summer 2008
3. Vibration
4. Barometric pressure
g. Number of users (staff & visitors)
h. Number of portals/devices estimated
i. Number of enrollment points estimated
2. The performance expectations and operating features
the selected product must satisfy as expressed in the Requirements
Definition described above.
3. The detailed Technical Requirements necessary to fulfill
the design objectives, procure and install the system, and
fully integrate it for operational capability. The technical
sections of the System Specification will vary by title and
content from different designers or integrators. There is,
however, a minimal amount of information that should
be included in any system specification, including:
a. Power requirements including source and
location(s)
b. Proposed products and components
c. Hardware
d. Software
e. Peripherals
f. Network and support

Section 4 14 The Biometric System Design Process
D. Biometric Access Control (A Design
Example)
1. Introduction
The majority of biometric systems provide routine access
control in buildings, offices, welfare programs, or information
systems. Authorized persons are enrolled in the
biometric system and, upon recognition or confirmation
of identity by live presentation of the enrolled feature,
are granted access to the protected asset or privilege.
Biometric systems used in these applications often use
precision equipment and technologies with very low error
rates. The remainder of Section 4 will focus on access/entry
control applications as an example of how the
design process described above will meet specified requirements.
Although the False Accept/Reject vs. False Match/Non-
Match issue was introduced earlier in this manual in Section
2, it is important to review the issue when discussing
design, requirements and system specifications. It is absolutely
imperative that a user understand and articulate
to his designers and suppliers his needs regarding what
a biometric system is expected to do for him/her. Blindly
insisting on the lowest possible False Match rate for example,
can be a disaster in a negative identification system
where a False Non-Match is the critical failure and a
False Match is merely a nuisance to be sorted out later.
In conventional access control applications, the industry
uses the terms False Accept and False Reject to refer to
observed processing errors. A False Accept error occurs
when the biometric system accepts the subject’s implied
Version 2 – Summer 2008

Biometric Technology Application Manual Section 4 15
assertion that they are in the database but are not. This
happens when the biometric image presented (face, iris,
fingerprint) by an un-enrolled person closely matches
the reference of an enrolled person well enough under
the environmental conditions of the moment. A False
Reject is just the opposite and occurs when the biometric
system fails to recognize a person otherwise properly
enrolled and authorized access.
In addition to true False Reject errors that occur due to
the nature of the image comparison algorithms and their
pass/reject scoring process, rejections can occur when
the biometric is obscured by foreign objects on the body
or the imaging device. For example, such an error might
occur when a mechanic has been working with greasy
auto parts and whose fingerprints are too dirty to be
properly imaged. A similar error might occur when a person
moves his/her head quickly while the iris is being imaged
for recognition. These rejections are attributed to a
Failure to Acquire (FTA). Since many modern biometric
devices have relatively low FA/FR error rates, most False
Rejects are most likely to actually be FTAs. While little can
be done to eliminate False Reject errors, 44 the positive aspect
of FTAs is that the problem can be corrected quickly,
cheaply, and simply by training the subject to present
clean hands to fingerprint devices and to stand straight
and steady before iris recognition systems.
FR errors take on more significance in the commercial ap-
44 In theory, FR errors can be reduced significantly but will increase FA errors.
FR errors in conventional applications are administrative nuisances
that annoy the users but do not jeopardize the security of the protected
assets. FAs, on the other hand, represent a real hazard to those assets.
Consequently, systems are normally adjusted to minimize FAs without
creating an unacceptable level of FRs.
Version 2 – Summer 2008

Section 4 16 The Biometric System Design Process
plication of biometrics because they frustrate and annoy
legitimate customers and thwart or delay the transaction
they wish to complete. This problem may motivate system
owners/operators to accept a higher FA rate to reach
a more permissive or convenient operation. This might
even be appropriate in an ATM application where large
losses are prevented by applying other constraints such
as maximum withdrawal limits and limiting withdrawals
to one per person a day.
Scientists and researchers in the field have noted
that the terms False Accept and False Reject
are decision errors and are thus application-
specific describing the outcome of the decision process.
In the access control context, therefore, False Accept errors
are caused by False Match (FM) errors and False Reject
errors are caused by False Non-Match (FNM) errors.
This terminology takes on additional value in discussions
of other applications of biometric technology where the
FA/FR terms would be inappropriate.
2. A “Before and After” Perspective in
Access Control Design
A biometric device may be used in virtually any scenario
in which one might otherwise use a key, identification
card, security card, or password to gain access into a
physical facility, a virtual domain (information system),
or a welfare process. Examples of these applications include
using a:
•
Key to open a door to a protected building or a room
within that facility
Version 2 – Summer 2008

Biometric Technology Application Manual Section 4 17
•
•
•
•
•
•
Combination to open a padlock securing a door
“Proximity Card” to open a door to a secured area
Driver’s license to pass through an airport security
line
Company ID card to move from a public area into a
secure company area
Password to log onto a personal computer or into a
company information system
State-issued ID card to participate in a welfare funds
distribution system
Each of these examples illustrate two of the three tools
used for security and access control:
1.
2.
3.
Something (or token) that you hold or possess (e.g.,
a key, card, or ID)
Something that you know (e.g., a combination or
password)
Biometrics provides the third tool - something you
are, some observable physical feature that can be
used to uniquely identify a person.
Interestingly, objections to biometrics have been raised
based on the realization that biometrics are not perfect.
There seems to be some shock effect when confronted
by the concept of biometric error rates when, in fact,
traditional solutions are far and away more error prone
and vulnerable than biometric solutions. Consider the
case of a simple lock and key. The False Non-Match Error
Version 2 – Summer 2008

Section 4 18 The Biometric System Design Process
(FNM) rates of a physical key from a locksmith are fairly
low, but think of the times when a key had to be jiggled
and wiggled before the lock would open. This is a type
of false reject. The same thing often happens with room
cards issued by hotels that have to be jostled and twisted
to make the door open. The owner of the key is entitled
to access but the system, for a period, rejects attempts
to enter.
It is likely the FNM of a lock and key is worse than many
biometric systems. As the lock (or key) ages, this becomes
more true. The False Match Rate (FMR), though, is
equal to the likelihood that the lost key will be found and
used, or that it may be stolen and used, a likelihood one
should believe to be quite high, certainly much higher
than even the weakest biometric solution in many cases.
Likewise, other tokens, such as ID cards or proximity
cards, are easily and often lost or stolen and potentially
misused. Certainly, stolen tokens will most likely be misused
at the first opportunity (before a lost or stolen card
report is filed) and there is little to prevent such misuse.
Simple possession of the card is assumed to equal entitlement.
The point to be made here is that error rate expectations
should be realistic, both in the context of the assets to be
protected and with respect to the type and nature of the
biometric technology to be used. As noted, access control
tokens (keys, cards, etc.) provide poor security if stolen
or forged and knowledge-based controls (password,
pass phrases, etc.) are routinely compromised through
guile, theft, and carelessness. To insist that a biometric
system replacing these older tools perform without error
or mishap is both unrealistic and unreasonable. Properly
used, current biometric systems routinely offer reliability
levels on the order of 95–99 percent. To require perfec-
Version 2 – Summer 2008

Biometric Technology Application Manual Section 4 19
tion or a 0 percent error rate is unreasonable and unachievable.
Those who would demand this level of performance
should place their requirement in the context of
their current situation where the reliability of existing access
control technology is often less than 60–75 percent.
It is reasonable to expect that any biometric system installed
to replace an existing access control system perform
as well as the system it is replacing. It is reasonable
to expect that the new system, in concert with other security
measures employed satisfy the owner’s “duty to care”
responsibilities. Basically, owners and senior managers of
a corporate enterprise have a fiduciary responsibility—
“duty to care”—to stakeholders to provide adequate security
and safeguards for corporate assets. This is often
computed as the total value of assets—tangible and intangible
(such as trade secrets)—times the likelihood of
loss through natural disaster, fire, theft, fraud, or unauthorized
taking, compromise, or viewing.
In theory, providing loss insurance for the full value of
these assets might satisfy this duty, but it is likely that the
insurer will require that proper safeguards be installed to
minimize the likelihood of such losses. Often, however,
the implementation of a biometric system can eliminate
the need to pay for recurring security measures such as
keys, cards, password help desks, etc., resulting in significant
life-cycle savings without compromising the company’s
security posture, thus satisfying both the insurer
and the stakeholders.
The most difficult aspect of managing these issues in an
IT environment is that both loss and compromise of corporate
information assets are frequently hard to discern.
First, it is uncertain, without a full-scale investigation, to
determine whether proprietary information (or intellec-
Version 2 – Summer 2008

Section 4 20 The Biometric System Design Process
tual property) has been compromised unless the benefactor
of such a compromise makes a blatant use of the
information, such as producing a new beverage identical
in flavor and content to Coca-Cola. In larger organizations,
accounting allowances are made for shrinkage or
breakage. How much of the historic levels of shrinkage
or breakage have been the result of employee theft vs.
employee mishap? Improved security measures should
reduce the incidence of employee theft, but this statistic
will be some time in coming and will still be presumptive
at best. In a larger sense, of course, the security of such
assets is not normally left to a single access control strategy
but to a solution in which there are several layers of
safeguards.
In brief, it is important that specifications for a biometric
system begin with the articulation of a concept of application.
Rather than using a specific biometric, such as
fingerprint or iris or hand geometry, it would be best to
express the concept using the term biometric.
The simplest way to start the concept description would
be to describe the current process—how things are done
today—then substitute the word biometric wherever
the current process uses a token of some sort to validate
the subject and use the term present in any place the description
might use the word(s) insert, show, display, or
some other descriptor.
Example 1—Plant Door Access Control
Current Practice: Proximity technology-based keycards
are issued to all staff and selected visitors for access to
company facilities. At the time of enrollment, user permission
to pass selected doors at specified dates and
Version 2 – Summer 2008

Biometric Technology Application Manual Section 4 21
times is defined by the Security Office in conjunction with
the user’s organization and company policies. The user
approaches the selected door and holds the proximity
card within a few inches of the card reader. Each month,
4.5 percent of the cards are lost, mutilated, or otherwise
become unusable and must be replaced at a cost of US
$1.50 per card. This represents an annual expense of US
$810 to replace the cards and US $10,800 for the labor
time of the Security Officer to initially issue, and re-issue
the card, for a total annual expense of US $11,610. In addition
to the issue and re-issue cost to cards, each lost or
stolen card represents a real potential for access to the
company facilities by one or more unauthorized persons.
Theft or destruction of company property could be quite
substantial, possibly in excess of several million dollars.
The Security Officer believes that the quality of secure
access control would be greatly enhanced and the cost
of access control greatly reduced by the transition to a
biometric-based access control system.
New Operational Concept: All staff and selected visitors
will be enrolled in a fingerprint-based biometric system
and issued a four-digit PIN. At the time of enrollment,
user permission to pass selected doors at specified dates
and times are defined by the Security Office in conjunction
with the user’s organization and company policies.
A fingerprint reader is installed at each location where
there was a proximity card reader. The user approaches
the selected door, enters his/her PIN on the keypad and
places the enrolled finger(s) on the platen.
A phased transition is used to procure the biometric access
control technology equipment and related software,
enroll employees in the new biometric system, remove
existing card readers, and install new biometric-based
door controls and implement the new system.
Version 2 – Summer 2008

Section 4 22 The Biometric System Design Process
Example 2—IT System Access Control
Current Practice: A company presently requires users to
log onto the network using a password string consisting
of letters (upper and lower case), numbers, and special
characters, that is at least eight characters long. Passwords
must not represent any word or parts of words
found in dictionaries, nor should they include any calendar
dates. There is concern for several reasons:
•
•
•
•
•
These passwords are hard to remember, so many
people write them down where they can be easily
found near the computer monitor or desk drawer,
representing an unintended opportunity for a security
compromise.
These passwords must be changed every 90 days.
Forgotten passwords cannot be retrieved by the IT system
administers, but must be reset to a common password,
then reset to a new password by the user. This
requires a few minutes time by the system administrator
to reset to the temporary password and the time
taken by the employee to create a new password (software
on the network server ensures that the new passwords
conform to the model described above).
Time lost to resetting passwords represents an opportunity
cost to productivity.
Additional passwords are required to access selected
applications such as the corporate accounting system
with the same sort of associated hazards, problems,
and costs.
New Operational Concept: All staff will be enrolled in
Version 2 – Summer 2008

Biometric Technology Application Manual Section 4 23
a biometric system. At the time of enrollment, user permission
to use certain workstations and enter certain
domains is defined by the Security Office in conjunction
with the user’s organization and company policies. Each
workstation and laptop computer will be equipped with
a biometric-based access control device. The user approaches
his/her workstation, enters his/her PIN on the
keyboard of an assigned workstation, and then places
the enrolled finger(s) on the platen attached to the
workstation. User identification and validation at the
workstation level is automatically passed by software to
all authorized applications so the user does not have to
repeat a log-in. Sensors will be installed in each workstation
and set by the system administrator to log off
or shut down the workstation if no activity takes place
within a certain period of time or if the user moves away
from the computer monitor.
There are several significant benefits by switching to a
biometrically-based IT-system access control system.
These include:
•
•
•
Productivity savings by not having to reset or recreate
passwords.
Greatly enhanced IT security by eliminating the unauthorized
posting of passwords in personal workspaces;
thus keeping the system from being compromised.
Elimination of other adverse practices by establishing
personal accountability for proper use of computing
equipment.
Version 2 – Summer 2008

Section 4 24 The Biometric System Design Process
3. The Architectural Aspects of an
Automated Access Control Portal
A portal, in this context, is an electronic controlled-
access door. Figure 4-1 illustrates the key elements of
the portal. Portals control the flow always into and out
of a protected space or area.
a. Central Control and Enrollment
All access control systems involve a central enrollment
process. At this point,
persons authorized to
access controlled spaces
are enrolled or recorded
into the system. Most
electronic access control
systems also include a
central processing component
that, upon completion
of enrollment,
broadcasts relevant enrollment
data to each of Figure 4-1
the portals in the system.
In some systems, the data are transmitted to just those
portals or portal control units through which a person
is authorized to pass. In addition to the key enrollment
data, the signal also includes instructions as to what days
of the week and time of day access is permitted. The only
system in which the broadcast does not occur is one in
which all of the enrollment data are stored at the portal.
b. Electronic Strike
The key element of the portal is the electronic strike that
Version 2 – Summer 2008

Biometric Technology Application Manual Section 4 25
releases the lock so the door may open. Normally, all this
requires is a pulse of electricity of a certain voltage and
duration. For this reason, great care must be taken to ensure
that wires leading to the strike are protected from
contact outside the protected space.
c. Control Device/Control Units
At the exterior of the protected area will be an access
control device, which may be a cipher switch control,
proximity card reader, contact card reader, biometric device,
or a combination of these. There are normally two
possible outputs from these devices.
The first is a simple relay closure pulse sent to the electronic
door strike activating it. In this scenario, all of the
permissions of authorized users have to be stored within
the device itself. The positive aspect is that such devices
are normally inexpensive and simple to install. The negative
aspects are that all enrollment has to take place at
the portal, the device will have only a limited capacity,
and there is likely to be a limited number of access rule
options available.
The second is a series of binary numbers sent instead to
a door controller unit (DCU). The DCU may be located
either at the central control/enrollment point, or it may
be located near one or more doors under its control. The
latter is the preferred and most common method. Often,
the remote DCU has considerable storage and logic processing
capacity. In the event communications are broken
between the central control system and the various
DCUs, the DCUs can continue to operate without interruption.
The only persons affected will be those who enroll
just before or during the communications break. In
addition to facilitating the enrollment of a large number
Version 2 – Summer 2008

Section 4 26 The Biometric System Design Process
of people, remote DCUs also enable extensive rule processing
to cover holidays, weekends, several shift periods,
and so on.
The negative aspect of a remote DCU is that it often sits
on the inside of the protected space close to the controlled
portal either on a wall or in a false ceiling, but
accessible from the outside by intruders climbing up
through the false ceiling, over the barrier wall, and into
the protected space where they can take control of the
DCU. In structures using false ceilings, special care and
attention has to be made to preclude this type of circumvention.
Structural rules for high security facilities often
prohibit false ceilings and require solid concrete or steel.
d. Request to Exit (RX)
Inside the protected space and near the portal will often
be a device designed to let the electronic strike release
the door. While some doors will be designed so the door
may be simply opened by turning the doorknob, more
secure strikes require an electronic pulse to activate the
release function. RX devices may be anything that can
trigger this pulse. Some RXs are simple infrared or microwave
motion sensors just like the kind that open doors
at the grocery store, some may be a button on the wall
next to the door that must be pushed to open the door,
and some may be pressure pads under the carpet near
the door. These simple RX devices ease exit when one’s
hands are full, but contribute little to security.
A more secure approach is to install a biometric reader
(often identical to that on the exterior of the portal), to
identify the person who is leaving the space or facility.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 4 27
This “advanced RX device” records the identity of the
person egressing the space or facility and the biometric
system will not let the person (or credential, at least), enter
any other space or facility until a valid exit event has
occured. (See also the following section on Tailgating.)
When tokens or cards dominated the access control business,
this was known in the trade as an “anti-pass-back”
feature. Today, application of biometric technology
largely avoids the passback practice. Nonetheless, using
biometric devices on the interior of spaces/facilities is
useful and in some cases, critically important. In nuclear
applications for example, it may be essential to know the
location of every individual in near real time in the event
of a life threatening emergency. In security and criminal
investigations it may also be extremely important to be
able to trace, re-trace, or verify the locations and paths of
many individuals.
e. Alarms
Some portal systems may include a local alarm, a remote
alarm, or combination of alarms that sound in the event
of an access violation. Whether to include these is a question
for local resolution and depends on the operating
scenario in which the system is installed.
f. Tailgating
Tailgating occurs when one or more additional people
pass through a portal on the strength of the leading person’s
credentials - with or without that person’s knowledge/consent.
In systems using anti-pass-back measures,
individuals may not depart unless they have used
their credentials (or biometrics) properly to enter. In other
systems where anti-pass-back has not been invoked,
the perils of tailgating are real and can be controlled in
Version 2 – Summer 2008

Section 4 28 The Biometric System Design Process
several ways.
The least expensive (and least secure), is to make the subject
of tailgating part of the overall security education
motivation program in the institution, with appropriate
actions and penalties for those who do not comply. Such
a system relies on the integrity and motivation of each
employee or assigned person, so a good enhancement
to this policy would be the installation of CCTV cameras
and video recording systems that would be activated every
time the portal was opened for any reason. Unfortunately,
while this approach might be useful to determine
the identity of the unauthorized tailgaters, it would not
prevent any adverse actions in the meantime.
A method to thwart the human propensity for tailgating
virtually eliminates the opportunity by installing full
height turnstiles which allow only enough revolution for
one person to enter the area at a time. Such devices are
more expensive, but have been installed in numerous facilities,
including nuclear power plants.
A further refinement of this is
the use of a chamber called
a “sally port” (Figure 4-2), in
which only one door may be
open at one time. In certain
extremely high security applications,
such sally ports
have been augmented by
automated weighing (to insure
only one person is pres- Figure 4-2
ent), and use of automated
sniffers to detect the presence of explosives. Naturally,
each component adds to the cost of the controlled portal.
It is a management decision to determine what level
Version 2 – Summer 2008

Biometric Technology Application Manual Section 4 29
of security is required by the nature and/or value of the
protected assets within the contolled space.
g. Emergency Precautions
The issue of what to do with controlled doors in the event
of a fire or other emergency where immediate evacuation
is required is a matter of code and policy, not technology.
Most, if not all, security systems fail-safe, that is,
the controlled doors are released so people inside can
leave. If the only control in place is on entry into the protected
facility or room, then egress is a simple matter of
opening the door and leaving. If, on the other hand, both
entrance and egress are electronically controlled, then
releasing the doors for egress, of course, creates a serious
security compromise and must be accommodated
somehow. How it is treated depends very much on local
circumstances and situations beyond the scope of this
manual—or biometrics as a whole for that matter—to
deal with. Those designing any access-controlled portal,
regardless of the technology used, must develop a contingency
plan to implement in the event of such a mishap.
4. Critical Performance Expectations for
an Access Control System
a. Operating Performance
•
User-Interface, Ease of Use
This is a subjective judgement heavily influenced by
“Maximum Time to Enroll”. A user-friendly enrollment
system should be unobtrusive, intuitive, and quick. The
nominal time actually observed to enroll will suggest
Version 2 – Summer 2008

Section 4 30 The Biometric System Design Process
the degree to which such a statement is true. The
purchaser may want to ask for a test and demonstration
to determine this factor.
•
Maximum Time to Enroll
This should be expressed in minutes or fractions of minutes.
There should be a rational relationship between the
number of enrollment points, the number of people to
be enrolled and time available to complete enrollments
under normal circumstances. Since Failure to Acquire Errors
are often the consequence of a poor enrollment image,
adequate time must be provided during enrollment
to obtain high quality enrollment images. In larger organizations,
the transition to a biometric system may create
a requirement for a number of temporary enrollment
stations that the vendor may provide gratis or rent for
a short period to expedite the enrollment process. The
vendor’s proposal should include a discussion of this issue.
•
Enrollment Sensitivity
Again, this is a subjective measure best measured by the
Failure to Enroll Rate below.
b. Error Rate Tolerances
•
False Match Error Rate
This is a key factor related to the purchaser’s acceptable
level of risk that is, in turn, a function of a number of legal
and fiduciary responsibilities discussed earlier in this
section.
•
False Non-Match Error Rate
Version 2 – Summer 2008

Biometric Technology Application Manual Section 4 31
Any adjustment to the False Match Rate has an inverse
impact on the False Non-Match Rate. Tightening one
will loosen the other, although not necessarily in a linear
relationship. The purchaser should therefore specify a
maximum acceptable False Non-Match Rate at the specified
False Match Rate to preclude acquiring a system that
meets the specified False Match Rate at the expense of
an unacceptable number of False Non-Matches.
•
Maximum Failure to Enroll Rate
Most all biometric systems have some limits on their ability
to enroll certain individuals. Alternative security arrangements
need to be made for these individuals. Proposals
should identify the vendor’s estimate of this type
of error. The purchaser must translate this to an expected
number of enrollment failures and make a management
decision whether this would be an acceptable number in
light of the alternative security arrangements that would
have to be made.
•
Maximum Failure to Acquire Rate (FTA)
During the normal operation of a biometric, many devices
suffer from a “Failure to Acquire” a useful image of
the biometric being used. Examples include a smudged
fingerprint, a poor iris image because the subject moved
during imaging. From an operational perspective, FTA
appears like a False Non-Match with the same consequence.
Often, a higher quality enrollment image will
result in a lower FTA rate. From a security management
perspective, though, users will be indifferent to the actual
reason for rejection: FR or FTA. The consequence is
still the same - rejection. In practice, the combination of
the system’s actual False Non-Match Rate and the FTA together
should not exceed the purchaser’s stated accept-
Version 2 – Summer 2008

Section 4 32 The Biometric System Design Process
able False Non-Match Error Rate.
c. Desired System Operating Speed
The nominal or average speed under normal operating
circumstances, expressed as Throughput, or
Throughput Rate, or both:
•
•
Throughput (Transaction time)=Seconds required to
process one person
Throughput Rate=Number of persons processed per
hour or minute
d. Standards Compliance
Section 5 provides a comprehensive review of existing
biometric standards. The Performance and System Specification
should indicate whether products offered in response
to the solicitation need to meet or comply with
published standards.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 4 33
5. Examples of Access Control Systems
a. Physical Access Control
Ex a m p l E 1. On E RO O m
Number of Devices: 1
Number of Enrollment Points: 1
Environment: Interior
Version 2 – Summer 2008
Exterior
Climate: Temperature
Humidity
Precipitation
Normal light and sound,
business office.
NA
Interior, N/A
Power Supply: Standard 120 VAC, wall run,
within inches of desired
location
System Interface: N/A
Users: 25
Networking: N/A
Privacy: Low level concern. Access to
data blocked.

Section 4 34 The Biometric System Design Process
Ex a m p l E 2. DO O R s in multiplE Bu i lD i n g s O n O n E Ca m p u s
This system comprises three buildings on five acres of
one campus. Twenty-three doors require biometric securing.
Four doors are exterior.
Number of Devices: 23 (19 interior, 4 exterior)
Number of Enrollment Points: 3
Environment: Interior
Exterior
Climate: Temperature
Humidity
Precipitation
Power Supply: Interior
Exterior
Normal light and sound,
business office.
Industrial park. Normal traffic
within 50 feet.
-5F to 105F
20% - 80% RH
14 in. annual rain, 8 in. annual
snow
Standard 120 VAC, wall run,
within inches of desired location
Standard 120 VAC, wall run
behind brick fascia, steel door
frames
System Interface: Fiber optic network with spare
fibers available
Users: 1234
Networking: Necessary. Campus has fiber
backbone installed.
Privacy: Mid-level concern.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 4 35
Ex a m p l E 3. DO O R s in multiplE Bu i lD i n g s O n multiplE
Ca m p u s E s
This system comprises twelve buildings on twenty-three
acres of three campuses on a sub-tropical island. One
hundred twenty seven doors require biometric securing.
Fourteen doors are exterior.
Number of Devices: 127 (113 interior, 14 exterior)
Number of Enrollment Points: 8
Environment: Interior
Exterior
Climate: Temperature
Humidity
Precipitation
Power Supply: Interior
Exterior
Version 2 – Summer 2008
Normal light and sound,
business office.
Automobile traffic within 200
yards.
-10F to 95F
40% - 95% RH
34 in. annual rain, 0-2 in. annual
snow
Standard 120 VAC, wall run,
within inches of desired location
Standard 120 VAC, wall run
behind brick or aluminum siding
fascia, steel door frames
System Interface: Fiber optic network with
spare fibers available on two
campuses. Telephone system
on third campus.
Internet/VPN desired for intercampus
communications.
Users: 52,350
Networking: Both LAN and WAN necessary
and available
Privacy: High-level concern.

Section 4 36 The Biometric System Design Process
Ex a m p l E 4. DO O R s a n D ma C h i nE R y O n nu m E R O u s sm a l l
si t E s natiOnwiDE (ga s st at i O n s)
This system comprises 1,875 buildings and 11,244 pumps
nationwide, plus a national headquarters building. All
buildings and pumps require a biometric-controlled lock.
All doors and pumps doors are exterior.
Number of Devices: 11,245, all exterior except HQ
enrollment point.
Number of Enrollment Points: 1,876
Environment: Interior
Exterior
Climate: Temperature
Humidity
Precipitation
Power Supply: Interior
Exterior
Normal light and sound,
business office (HQ enrollment
point).
Automobile traffic within onethree
feet of pumps, three-six
feet from doors.
National weather. Determine by
site location.
Standard 120 VAC, wall run,
within inches of desired location
Standard 120 VAC, conduit
run within three feet of device
location
System Interface: All sites have standard POTS
telephone service available.
Internet/VPN desired for intercampus
communications.
Users: 5,600
Networking: Recommended. VPN or Internet.
Privacy: Mid-level concern.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 4 37
b. Logical (virtual) access control
If this is a virtual domain; that is, an information system or
process based on an information system, is it:
•
•
A stand-alone computer:
–
–
How many?
How many users per workstation?
A networked system?
–
–
Number of workstations
Number of users?
This will describe in exact detail the number of devices
as well as the location and function of each biometric device
in the proposed system, as well as the location and
number of enrollment points.
Version 2 – Summer 2008

Section 4 38 The Biometric System Design Process
Ex a m p l E 1. st a n D-a l O n E DE s k t O p s a n D la p t O p s f O R sm a l l
Bu s i n E s s
Company owns 25 desktops and 15 laptop computers.
Desktops are not networked together. The owner wants
these to be biometrically secured.
Number of Devices: 40 (25 desktop, 15 laptop)
Number of Enrollment Points: 1
System Interface: Not Required
Environment: Standard office configuration.
Access to office space is
controlled by lock and key at one
door to common hallway.
Users: 75
Networking: Necessary
Privacy: Low-level concern
Version 2 – Summer 2008

Biometric Technology Application Manual Section 4 39
Ex a m p l E 2. nE t wO R kE D DE s k t O p s a n D DEplOyaBlE la p t O p s
f O R Bu s i n E s s
Company owns 125 desktops in one location and 25 laptop
computers. Desktops are networked together. When
present in the office space, laptops can also plug into
LAN. When not in an office, laptops are normally used in
hotels, conference rooms, etc. on the road.
Number of Devices: 13,305 (12053 desktop, 25 laptop)
Number of Enrollment Points: 2
System Interface: Secure LAN interface and control
required. Fiber network in place.
Environment: Standard office configuration.
Most desktops are in locked
offices. Access to office space is
controlled by lock and key at one
door to common hallway.
Users: 250
Networking: Yes
Privacy: Mid-level concern
Version 2 – Summer 2008

Section 4 40 The Biometric System Design Process
Ex a m p l E 3. nE t wO R kE D DE s k t O p s a n D DEplOyaBlE la p t O p s
f O R la R g E, gl O B a l Bu s i n E s s
Company owns 12,053 desktops in multiple locations
and 1,252 laptop computers. Company HQ is in New
York with major offices in five large cities abroad. Desktops
are networked together internationally. When present
in the office space, laptops can also plug into LAN.
When not in an office, laptops are normally used in hotels,
conference rooms, etc. on the road. One common
system desired.
Number of Devices: 150 (12,053 desktop, 1,252
laptop)
Number of Enrollment Points: 6
System Interface: Secure LAN interface and control
required. Fiber network in place.
Environment: Standard office configurations.
Configurations vary from
location to location from open
bays, cubicles, and locked
offices.
Users: 16,700
Networking: Yes. VPN and/or Internet
Privacy: High-level concern
Each of these examples has different operational challenges
and solutions. Vendors will need to carefully examine
the desired system details to confirm their ability
to comply with the specification.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 4 41
c. Examples of Combined Domains
In the case of a combination of physical and virtual domains
with an expectation that the two will work more
or less interactively, the sytem specifier must:
•
•
Describe each domain in detail.
Describe the anticipated link between the two
domains.
Ex a m p l E 1. DO O R s a n D in f O R m a t iO n sy s t E m s a t nu m E R O u s
sm a l l si t E s natiOnwiDE (fa s t fO O D si t E s)
This system comprises 1,875 buildings and 1,875 desktop
computers on as many sites nationwide, plus a national
headquarters building. All buildings rquire a biometriccontolled
lock. All doors are exterior. All computers are
interior.
Version 2 – Summer 2008

Section 4 42 The Biometric System Design Process
ph y s iC a l DO m a i n
This system comprises three buildings on five acres of
one campus. Twenty-three doors require biometric
securing. Four doors are exterior.
Number of Devices: 1875, all exterior except HQ
enrollment point.
Number of Enrollment Points: 1876
Environment: Interior
Exterior
Climate: Temperature
Humidity
Precipitation
Power Supply: Interior
Exterior
Normal light and sound,
business office (HQ enrollment
point).
Automobile traffic within 10
feet of doors..
National Weather. Determine
by site location.
Standard 120 VAC, wall run,
within inches of desired
location
Standard 120 VAC, conduit run
within 3 feet of device location
System Interface: All sites have standards POTS
telephone service available.
Internet/VPN desired for intercampus
communications.
Users: 2100
Networking: Yes
Privacy: Mid-level concern
Version 2 – Summer 2008

Biometric Technology Application Manual Section 4 43
Virtual Domain
Number of Devices: 1875 desktop computers
Number of Enrollment Points: 1
System Interface: Secure LAN interface and
control required. Standard
POTS telephone service at all
sites..
Environment: Standard fast food restaurant
configuration: cooking area,
customer area, and small office
location of computer.
Users: 2100
Networking: Yes
Privacy: Mid-level concern
Version 2 – Summer 2008

Biometric Technology Application Manual Section 5 1
Section 5: Biometric Standards
Structure of Biometric Standards
Introduction
In order to understand how the different types of biometric
standards fit together, it is useful to review the overall
structure of biometric standard both visually (diagrammatically)
as well as in a narrative. The structure shown
in Figure 5-1 is commonly called an “Onion Diagram”. It
shows biometric standards as a series of layers, starting
with the heart of the onion and the inner three layers,
all in blue, connoting those standards of most direct relevance
to biometric system developers and users. The
next layer (gray), deals with the interfaces which link the
biometric components to the rest of the application - access
control, watch list, or financial. Then there are the
outer two layers (orange) which define how to deal with
biometrics in terms of privacy, legal issues, and even the
language used to describe them. Finally, there are the
thin shells that separate and surround each layer..
These layers represent the conformance standards which
describe exactly how adherence to each of the other
standards can be measured. Each of the other standards
that sets out specific measurable requirements in its
conformance clauses will need a corresponding conformance
testing methodology standard. Without a separate
conformance standard, it is difficult to know if any
implementation of a given standard is correct, and that
is why conformance permeates the entire onion, giving it
structure and support.
Version 2 – Summer 2008

Section 5 2 Biometric Standards and Best Practices
Notes on the “Onion Diagram”: Don’t be intimidated
by the designations and acronyms on the right side of
the diagram. These are merely the international SC’s
(SubCommittees), WGs, (Working Groups), and the
U.S. technical committees’ TG’s (Task Groups M1.2
- M1.6) responsible for development of the standards.
The detail of these organizations and their functions
will be explained later in this section, but if you wish,
feel free to jump ahead and get a broader view of the
standards world as you work through Figure 5-1.
Data Interchange Formats
The inner core of the onion is the biometric data interchange
formats. These standards define the basic format
of biometric images or templates and tell the technology
manufacturers how to format data from their systems or
interpret data coming into their systems. Each biometric
modality (face, finger, iris, vein, hand, etc.) needs at
least one of these standards to allow interoperability of
data produced by different systems using that modality.
If no other biometric standards existed, some reasonable
measure of interoperability could still be achieved
using the standards in this layer, which is why they form
the heart of the onion. In some cases, different technologies
using a given modality may also need their own
standard. In ISO/IEC JTC 1 SC 37, for instance, there are
data interchange format standards being developed for
finger image (a raw or possibly intermediate biometric
sample) and for three types of processed biometric samples:
finger minutiae, finger pattern spectral, and finger
pattern skeletal. This reflects the maturity of the fingerprint
market with multiple technologies available to process
the raw biometric data. In an ideal world, each modality
would only use a single universal standard based
on processed data, but while this might be beneficial for
Version 2 – Summer 2008

Biometric Technology Application Manual Section 5 3
interoperability, it could inhibit the development of new
technological advancements and reduce absolute performance.
Logical Data Structure
The next layer is the logical data structure or exchange
format framework that is used to wrap the biometric data
so that systems receiving a file know how to interpret the
different data fields that might be associated with the
biometric data. These could include demographic information
or a digital signature to verify the data packet
has not been tampered with. CBEFF (Common Biometric
Exchange File Format) is currently the most important
standard in this layer (see CBEFF in Section 2, Terms and
Definitions Related to Biometrics and a detailed explanation
later in this Section under Current Work in Biometric
Standards Development.) The work of OASIS on the
XCBF is also part of this layer, although it does address
some of the security issues outlined in the next layer.
Version 2 – Summer 2008

Section 5 4 Biometric Standards and Best Practices
Data Security
Once the core biometric data in a standardized form
has been wrapped in a standardized file format, it is
likely necessary to protect the data. This may involve
the use of digital signatures in the CBEFF, as discussed
previously, or the specification of a secure transmission
protocol such as HTTPS to transer the XCBF compliant
XML data. There are numerous encryption schemes
that can be used, including traditional encryption
which simply treats the biometric data as another
payload, and biometric encryption, where the biometric
characteristic is used in the encryption algorithms
and thus not considered ready for general use.
Standardization in these areas is a matter for security
and cryptography experts and falls under the purview of
ISO/IEC JTC 1 SubCommittee 27 “IT Security Techniques”.
System Properties
The next layer involves the properties of the biometric
system. One of these is the performance of the biometric
system, which is absolutely fundamental to deployment
decisions. If the biometric system cannot enroll a sufficient
percentage of the target population or if its ability
to correctly match biometric samples from the same
person without falsely matching samples from different
people is insufficient, then the system is unsuitable for
deployment. Significant progress has been made in advancing
biometric performance testing standards, both
in the United States and internationally, during the last
few years and several standards will be ready to publish
in the near future. One particularly important subset of
performance testing, where work is still ongoing, is interoperability
testing. One of the key purposes of biometric
standards is to allow interoperability among com-
Version 2 – Summer 2008

Biometric Technology Application Manual Section 5 5
ponents and systems involving biometrics. Performance
based interoperability testing is important because it
documents not only that two systems can work together
but how well they work together - a critical issue for system
design and procurement decisions.
Security evaluation standardization is also important. It
permits methodologies to be developed by which biometric
systems can be evaluated so that their security
level is well established, rather than being the subject
of vendor claims or uncertain testing. Once again, this
falls under the mandate of groups such as SC 27 or X9,
but in this case there is a definite need for advice from
biometrics experts. That is because one of the critical
items in defining overall system security is the performance
of the biometrics itself. Extensive liaisons now exist
between SC 37 and SC 27, especially on “ISO 19792 - A
framework for security evaluation and testing of biometric
technology”.
The final area of biometric system properties is the specification
of any explicit properties that are required for a
particular application domain. This can be done through
a biometric profile, such as those being developed for
airport employees and seafarers in SC 37 or those already
published for transportation workers and border
management in the United States. It can also be accomplished
through additional specifications from an end
user organization that will supplement the base standards.
ICAO has chosen this route, as has ILO for its first
round of the Seafarers’ Identity Document, although ILO
is also participating in the SC 37 development of a corresponding
profile for seafarers. There will need to be
a reasonable number of biometric application profiles
developed during the next few years as biometric standards
and the biometrics market mature and as applica-
Version 2 – Summer 2008

Section 5 6 Biometric Standards and Best Practices
tions proliferate. Eventually, however, new application
areas should be able to use one of the existing profiles
with little or no modifications.
Interfaces
Biometric interfaces form the next layer of the onion
(gray). These are interfaces between the core biometric
systems, represented by the inner four layers of the
onion and the outside world. Foremost among them is
BioAPI, but there are now other interface standards under
development that will significantly expand the scope
of the current BioAPI. Most of the new work is taking
place within SC 37 and features amendments to BioAPI
2.0 to support GUI control and data archiving. There is
also work on a Biometric Interworking Protocol to allow
BioAPI systems on different computers to communicate
and work together, as well as smaller version of BioAPI
that is specifically designed for constrained systems with
low memory and/or processing power. The M1.2 Task
Group of M1 has led the way in the United States with
publication of ANSI INCITS 358-2002/AM1-2007, which
amends the BioAPI specification by adding support for
multibiometrics or biometric fusion. As these standards
develop, it is important that proper coordination between
the biometrics experts and the experts in other
areas of information technology, exist to ensure that the
technical interfaces being developed adequately reflect
modern system design principles and requirements.
Vocabulary
The final two layers of the onion (orange), represent the
outside world and how to deal with biometrics as a general
subject. A harmonized biometric vocabulary allows
different groups to avoid miscommunication when dis-
Version 2 – Summer 2008

Biometric Technology Application Manual Section 5 7
cussing biometrics. This is important in harmonizing the
language used in all of the other standards’ documents,
but it also plays a role in simplifying the deployment of
biometric sytems. Unfortunately, progress in developing
a harmonized vocabulary remains slow. There are definite
linguistic and usage issues which separate various
groups within SC 37 and even within the United States.
Fortunately, general industry practice has accepted particular
usages of certain terms, so that even if they are not
agreed upon in a standard, there is de facto agreement
outside the standards’ process. In the meantime, both
M1 and SC 37 will continue work on vocabulary issues.
Societal and Cross-Jurisdictional Issues
Societal and cross-jurisdictional issues involve the impact
of biometrics on privacy, health, safety and other
similar areas. SC 37 is studying standardization of these
areas internationally and M1 is participating to represent
U.S. interests. Within each country or region there are different
legislative issues and public perceptions that may
influence how biometrics are used. The key goal here is
develop a standardized way of measuring or managing
these issues and, if possible, a set of minimum guidelines
that can achieve sufficient consensus to be internationally
standardized. The international standards in this area
will be particularly important for the deployment of large
scale cross-border systems, as proposed by ICAO or ILO
for instance. It is not an easy task, though, to achieve international
consensus on these issues.
Conformance Testing
Finally, surrounding and pervading the entire onion is
the issue of conformance testing standards. Most standards
in the other areas enumerated previously do not
Version 2 – Summer 2008

Section 5 8 Biometric Standards and Best Practices
provide any formal way of certifying that a particular
technology or product conforms to the standard. There
are exceptions. Certain standards, such as vocabulary,
do not require conformance testing. Others, such
as biometric profiles, rely on the conformance testing
standards associated with the base standards they reference,
combined with the application specific guidance
they provide. Thus, they do not need a separate conformance
testing standard. The vast majority of standards,
however, do benefit from a detailed conformance testing
standard, and this is an area where significant work
is now underway both in M1 and SC 37. A small number
of conformance testing standards have been published
- specifically ANSI INCITS 429-2007 and ISO 24709, which
provide standardized methods of determining whether
a software system conforms to the BioAPI standard. Significant
progress in the overall understanding of how
conformance testing biometric products and systems
has been achieved and of the number of conformance
standards are on the horizon.
Conformance testing standards have another benefit. In
addition to ensuring that individual products or systems
conform to a base standard, they can reveal problems in
the base standard itself. It may have too many optional
features so that multiple products that are conformant
with a standard designed to promote interoperability
are not actually interoperable with each other. Alternatively,
the standard could be written so loosely that it is
subject to interpretation, and vendors may believe their
products conform to the standards when, in reality, they
do not. Conformance testing standards provide: a set of
specific testing methodologies that vendors or third party
testing laboratories can use to test the conformance of
individual products to a particular standard. Thus, most
of the problems mentioned above will be revealed as the
Version 2 – Summer 2008

Biometric Technology Application Manual Section 5 9
conformance testing standard is developed. Indeed, numerous
minor problems have been revealed in the first
generation of M1 and SC 37 standards due to recent work
on both conformance and interoperability testing, and
projects are now underway to improve these standards.
The Importance of Biometric Standards
Biometric technologies have the potential to become
the foundation of an extensive array of highly secure
identification and personal verification solutions. In addition
to supporting homeland security and preventing
ID fraud, biometric-based systems are able to provide for
confidential financial transactions and personal data privacy.
Enterprise-wide network security infrastructures,
employee IDs, secure electronic banking, investing and
other financial transactions, retail sales, law enforcement,
and health and social services are already benefiting from
these technologies. Before that potential can be fully realized,
however, a comprehensive array of standards will
be necessary to ensure that information technology systems
and applications are interoperable, scalable, usable,
reliable, and secure.
For any given technology, the development of industry
standards assures the availability of multiple sources of
comparable products in the marketplace. It also ensures
uniformity of certain processes to enable communication
and data exchange between systems. Further, it
provides an accepted series of metrics by which vendor’
claims can be judged.
In the past, the biometric industry has been characterized
by a mass of small, highly competitive companies,
each with the desire to promote its own proprietary technology.
This “marketing orientation” often outweighed
Version 2 – Summer 2008

Section 5 10 Biometric Standards and Best Practices
the desire to see the entire biometric sector benefit from
increased standardization. In recent years, however, the
biometric industry has begun to build consensus-based
industry standards.
The underlying goal in developing biometric standards
is to make systems that include biometric technology
easier and more reliable to deploy and maintain. Basically,
the existence of standards lowers risk. According to
Fernando Podio, co-chairman of the Biometric Consortium
and a program manager at the National Institute of
Standards and Technology (NIST), biometric standards
“are needed and expected by many end-users.,” “Without
open standards, you cannot really achieve interoperability.”
Vendor lock-in makes it much more difficult to interpret
other biometric technologies, make upgrades, swap one
technology for another, or integrate more than one biometric
technology into a single system. Enterprise systems
and applications based on consensus biometric
standards are more likely to be interoperable, scalable,
usable, reliable, secure, and economical than proprietary
systems.
The biometric industry is still evolving, developing new
technologies and solving technical issues. In addition to
technological issues, there are standards issues impacting
that evolution.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 5 11
Issue: While some progress has been made in development
of testing standards, it has been, in general,
broad areas relative to testing such as Principles and
Framework and specifying those “P’s & F’s” for the three
main areas of testing: Technology, Scenario, and Operational
(see paragraph on M1.5 below). There are currently
no approved national or international standards
for measuring and reporting the accuracy of specific
biometric modalities in an area of testing. Indeed, despite
tremendous effort by the standards development
community, there is not yet agreement on taxonomy
of biometric applications - the closest the industry has
come is an international Technical Report on modalityspecific
testing that attempts to define taxonomy of
biometric applications so that different testing methods
can be specified where appropriate.
Impact: The lack of established scientific standards for
comparing the accuracy of different biometric products
known as “performance testing standards” results
in marketplace confusion and makes the job of comparing
biometric products extremely difficult. Currently,
it is essentially impossible to scientifically compare
the accuracy of different biometric products in a repeatable
manner. Biometric product consumers currently
have no scientifically developed, agreed-upon
methods to determine how well the biometric products
they buy, or are considering, actually work.
Version 2 – Summer 2008

Section 5 12 Biometric Standards and Best Practices
Issue: As of mid-2008, only two national standards existed
for evaluating whether a product that claims to
support a biometric standard actually conforms to the
standard. One gives broad, general guidance (ANSI
INCITS 423.1-2008 “Generalized Conformance Testing
Methodology”), and the other is specific for the BioAPI
(ANSI INCITS 429-2007 “Conformance Testing Methodology
for INCITS 358-2002 BioAPI Specification”).
Impact: The lack of established conformance testing
standards results in an inability to verify that a commercial
product conforms to a standard, such as Bio-
API, and thus makes it impossible to guarantee the
interoperability of the product with other biometric
products or system components.
The consequences of using technologies that are not
compliant with standards’ bodies are twofold: 1) the
products in question will most likely not interoperate
with the products of competing vendors and 2) the
products in question may not interface with other portions
of the applications.
Example: Using biometrics at a bank. The security department
of a bank wants increased accountability and
a solid audit trail for determining who accesses various
files, accounts, or even the safe. The IT department of
the bank wants to reduce help desk cost for password
resets and other administrative functions dealing with
user identity. The bank has many branches that are geographically
dispersed, and a variety of users (employees)
of difference in age, gender, dispositions, etc. With any
technology, there will be a small percentage of the user
population who cannot or will not use it.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 5 13
An important point concerning standards-compliant
biometric technologies is that they can be mixed-andmatched.
If there is a particular biometric technology
that one segment of the user population cannot use,
then a different biometric technology can be incorporated
to accomodate these variations. Standards-based
biometric technologies and systems will be versatile and
flexible, whereas proprietary systems that do not comply
with industry standards may not be.
Additionally, standards-based biometric systems allow
enrollment on one system, for example, and matching on
another. File interchange formats allow data interchange
so an enrollment on System A at Location C can be recognized
and matched on System B at Location D.
Example: Using biometrics at military installation 45 A
small office of workstations or a single access gate to a
military installation presently use biometrics on a small
scale. In such situations, there could be a future requirement
or mandate for those resources (e.g., workstations
or gates) into a larger regional system. If the products
in question are not standards-based, then integrating
local systems into a large regional system at a later date
will likely require a costly and operationally disruptive replacement
of technology.
45 Example extracted from U.S. Department of Defense Biometrics
Standards Development Recommended Approach, Biometrics
Management Office. September 2004.
Version 2 – Summer 2008

Section 5 14 Biometric Standards and Best Practices
Current Work in Biometric Standards
Development
Note on currency: As with any effort to provide information
about a proces which is moving forward and evolving,
“currency” becomes a relative term. It is especially so in
the area of standards, where standards bodies are meeting
four to six times annually and there are upwards of 20 projects
being discussed at any given time. “Emerging” (not
yet published), standards can transition to “Published”
overnight. While the references to specific standards and
projects underway are as current as we know today, the
most current information in the future can be found on
the NBSP Web site at: http://www.nationalbiometric.org/.
There are several groups, both national and international,
that are playing major roles in the development of standards
for biometric technologies. The remainder of this
section will summarize the activities of the major groups
at both the national and international levels. Because of
the plethora of new biometric standards activities, this
list should not be considered exhaustive. To simplify the
analysis, the standards-developing groups are classified
into three broad categories:
1.
2.
3.
Government appointed standards development
bodies (e.g., ISO, ANSI, NIST)
Industry and other consortia (e.g., BioAPI Consortium,
OASIS)
End users (e.g., ICAO, ILO)
Groups in the first category try to develop standards in
accordance with their government appointed mandates,
either to achieve the overall economic benefit that re-
Version 2 – Summer 2008

Biometric Technology Application Manual Section 5 15
sults from standardization or to fulfill specific legislative
mandates such as those of the U.S. PATRIOT Act.
Groups in the second category attempt to develop standards
that support the aims of their membership. While
these generally align with the overall goal of enhancing
standardization, individual consortia may have narrow
aims, so there are often gaps or overlaps between the
standards development work of the various consortia
that can lead to confusion.
Finally, the third category of groups develops specific
standards related to a particular technology application
that is within its domain. In an ideal world, these end user
groups would be able to reference general standards developed
by the other groups and apply them to their domains.
International Standards Organizations
There are standards groups throughout the world that
seek to fulfill their mandates in the same way U.S. groups
do. There are also regional groups such as the European
Committee for Standardization, which has an Information
Society Standardization System (CEN/ISSS) whose
mandate includes building a European consensus on IT
standards. The most relevant bodies for U.S. consideration,
however, are those which set global standards, as
they will have the most impact and provide the best opportunity
for U.S. participation.
International Organization for Standardization
(ISO)—ISO is the world’s largest developer of standards.
It is composed of representatives from the national standards
bodies of 148 countries, with a central secretariat
Version 2 – Summer 2008

Section 5 16 Biometric Standards and Best Practices
based in Geneva, Switzerland, that coordinates activities.
Although ISO is primarily composed of national standards
bodies, the representatives from these bodies may
be from either government or industry sectors, and there
are external groups that hold liaison status with ISO. Several
committees within ISO are at least partly involved in
biometric standards development.
International Electrotechnical Commission (IEC)—The
IEC was one of the first international standards bodies to
exist, being founded in 1906, predating ISO by 41 years.
Its mandate is to prepare and publish international standards
for all electrical, electronic, and related technologies.
ISO/IEC Joint Technical Committee 1 (JTC 1)—In
1987, the International Organization for Standardization
(ISO) and the International Electrotechnical Commission
(IEC) formed the Joint Technical Committee 1 (JTC 1) on
Information Technology (IT) to develop and promote IT
standardization and thereby meet the global demands
of businesses and users. The ISO/IEC JTC 1 created a series
of SubCommittees (SCs).
• SC 17 is responsible for cards and personal identification
and particularly focused on the application of
biometrics to smart cards and travel documents.
• SC 27 is responsible for IT security techniques and
focused on security issues surrounding biometrics
and the evaluation of the security implications of
biometrics.
SC 37
• has the primary responsibility for biometrics
standards in the international arena.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 5 17
ISO/IEC JTC 1 SC 37 on biometrics was established in
June 2002. The formation of JTC 1 SC 37 was initiated
and championed by the United States. The establishment
of JTC 1 SC 37 provides an international venue to
accelerate and harmonize formal international biometric
standarization. Such harmonization will ensure that future
standards-based systems and applications are more
interoperable, scalable, reliable, usable, and secure.
At the international level, SC 37 has become a vital force
in biometric standards development activities. SC 37
formed to ensure rapid and comprehensive development
of biometric standards at the international level,
while minimizing overlap with work in SC 17 and SC 27.
The scope of this work is defined as “Standardization of
genetic biometric technologies pertaining to human beings
to support interoperability and data interchange
among applications and systems. Generic human biometric
standards include: common file frameworks; biometric
application programming interfaces; biometric data interchange
formats; related biometric profiles; application of
evaluation criteria to biometric technologies; methodologies
for performance testing and reporting and cross jurisdictional
and societal aspects.” 46
SC 37 has several subordinate Work Groups (WGs) that
address different aspects of biometric standards development.
These include:
•
•
WG 1 – Standards for Biometric Vocabulary
WG 2 – Standards for Technical interfaces
46 According to ISO/IEC JTC 1 SC 37
Version 2 – Summer 2008

Section 5 18 Biometric Standards and Best Practices
•
•
•
•
WG 3 – Standards for Data Exchange Formats
WG 4 – Standards for Biometric Profiles
WG 5 – Standards for Performance Testing and
Reporting
WG 6 – Standards for Cross-jurisdictional and
Societal Aspects
Effectively, SC 37 is the international counterpart of
INCITS M1 47 within the United States., and its areas of
work map closely to those activities supported by M1.
Biometric standards developed in the United States must
be coordinated with an international forum.
INCITS (International Committee for Information
Technology Standards)—INCITS is the primary U.S. standardization
body in the field of information and communications
technologies. This includes information
storage, processing, transfer, display, management, organization,
and retrieval. INCITS has a number of Technical
Committees (TCs) that lead standards development efforts
in various areas. In fact, there are more than 30 TCs
within INCITS, including several that touch on biometric
standards. The TC that focuses most prominently on the
development of biometric standards is known as M1.
INCITS Technical Committee M1 Biometrics—INCITS
M1 is the U.S. Technical Advisory Group (TAG) to ISO/IEC
JTC 1 SC 37 – Biometrics. M1 was established to ensure
a high priority, focused, and comprehensive approach
in the United States for the rapid development and ap-
47 See INCITS Technical Committee M1 Biometrics
Version 2 – Summer 2008

Biometric Technology Application Manual Section 5 19
proval of formal national and international biometric
standards for biometric data interchange and interoperability.
These standards are considered to be critical for
U.S. needs, such as homeland defense, the prevention of
identity theft, and for other government and commercial
applications based on biometric personal authentication.
As INCITS is the TAG to ISO/IEC JTC 1, M1 is the
TAG to its counterpart in the international arena, JTC 1
subcommittee SC 37 - Biometrics, which is developing a
similar portfolio of standards.
Since its founding in November 2001, M1 has been the
primary U.S. focus for formal biometric standards development
and carries the U.S. position to the primary international
biometric standards group. The current program
of work includes technical interfaces between biometrics
and other system components, data interchange formats,
biometric application profiles, performance testing and
reporting, multi-biometric systems, cross jurisdictional
and societal issues, and conformance testing for these
various standards.
Currently, there are five Task Groups within M1. Task
Groups are established with a long-term, permanent view
and do not require periodic reauthorization to conduct
business. They maintain formal memberships, separate
from the full M1 plenary Technical Committee and have
their own officers. They have the right to make decisions
on those within their purview, although these decisions
are formally reviewed/approved and can always be overruled
by the M1 plenary.
These Task Groups include:
• M1.2—Biometric Technical Interfaces— This task
Version 2 – Summer 2008

Section 5 20 Biometric Standards and Best Practices
group covers the standardization of all necessary interfaces
and interactions between biometric components
and sub-systems, including the possible use of
security mechanisms to protect stored data and data
transferred between systems. Completed projects to
date include:
–
–
–
The formal standardization and maintenance of
the Common Biometric Exchange File Format
(CBEFF) (ANSI INCITS 398-2008).
Biometric Application Programming Interface,
{BioAPI} (ANSI INCITS 358-2002) and amendment
one (ANSI INCITS 358-2002/AM1-2007)
Conformance Testing Methodology for INCITS
358-2002
429-2007)
BioAPI Specification (ANSI/INCITS
• M1.3 - Biometric Data Interchange Formats - A task
group set up to ensure the standardization of the
content, meaning, and representation of biometric
data interchange formats. This work is at the heart
of allowing systems to be interoperable, since it defines
standard template or image representations for
biometric data. Completed projects to date include:
–
–
–
Finger Pattern Based Interchange Format (ANSI
INCITS 377-2004)
Finger Minutiae Format for Data Interchange
(ANSI INCITS 378-2004)
Finger Image Based Interchange Format (ANSI IN-
CITS 381-2004)
Version 2 – Summer 2008

Biometric Technology Application Manual Section 5 21
–
–
–
–
Face Recognition Format for Data Interchange
(ANSI INCITS 385-2004)
Iris Recognition Interchange Format (ANSI INCITS
379-2004)
Signature/Sign Image Interchange Format (ANSI
INCITS 395-2005)
Hand Geometry Interchange Format (ANSI INCITS
396-2005)
• M1.4 - Biometric Profiles - This task group deals with
the standardization of application-specific profiles
that explain how to take base biometric standards
and use them in a particular application domain.
Current application profiles include:
•
–
–
–
–
–
Biometric Based Verification and Identification of
Transportation Workers (ANSI INCITS 383-2008)
Biometric Based Personal Identification for Border
Management (ANSI INCITS 394-2004)
Point-of-Sale Biometric Verification/Identification
Biometric Physical Access Control (ANSI INCITS
422-2007)
Department of Defense Implementations (ANSI
INCITS 421-2006)
M1.5 - Biometric Performance Testing and Reporting -
This group handles the standardization of biometric
performance metric definitions and calculations, as
well as defines approaches to testing performance
Version 2 – Summer 2008

Section 5 22 Biometric Standards and Best Practices
and the requirements for reporting the results of
those tests.
–
–
–
–
Biometric Performance Testing and Reporting
(ANSI INCITS 409.1-2005 Principles and Framework)
Biometric Performance Testing and Reporting
(ANSI INCITS 409.2-2005 Technology Testing and
Reporting)
Biometric Performance Testing and Reporting
(ANSI INCITS 409.3-2005 Scenario Testing and Reporting)
Biometric Performance Testing and Reporting
(ANSI INCITS 409.4-2006 Operational Testing
Methodologies)
• M1.6—Cross Jurisdictional and Societal Issues— This
task group is not intended to develop national standards
but to provide recommendations and particularly
to develop U.S. technical contributions to the
corresponding international group, JTC 1 SC 37 WG
6. Since international decisions on cross-jurisdictional
matters may significantly affect U.S. interests,
this subject is important enough to warrant a U.S.
task group.
Additionally, ad-hoc groups can be formed within the
M1 TC and/or within Task Groups as necessary. Ad-hoc
groups are short lived and focus on a specific problem,
technical issue, investigation, or report. Unlike TGs, the
ad-hoc groups’ authority automatically expires after a
short period unless extended by a formal action of the
M1 plenary body. On occasion, an ad-hoc group may fo-
Version 2 – Summer 2008

Biometric Technology Application Manual Section 5 23
cus so broadly, or may be so pervasive or extended, that it
could warrant replacement by a permanent Task Group.
OASIS (Organization for the Advancement of Structured
Information Standards) - OASIS is a not-for-profit,
international consortium that drives the development,
convergence, and adoption of e-business standards. The
organization produces a large number of web standards
in supporting areas for e-business such as security and
biometrics. The OASIS XML Common Biometric Format
(XCBF) Technical Committee has specifically defined
a common set of secure XML encodings for the patron
formats specified in CBEFF, allowing biometric data to
be securely passed over the Internet. The XML Common
Biometric Format (XCBF) is a common set of secure
XML encodings defined by the XCBF Technical Committee
of the OASIS. XCBF provides security for biometric
data through its support of the X9.96 XML Cryptographic
Message Syntax (XCMS) standard. In 2003, XCBF 1.1 became
an approved OASIS standard.
The Open Group - The Open Group is an international
consortium dedicated to “Boundary-less Information
Flow achieved through global interoperability in a
secure, reliable, and timely manner.” It has, in the past,
been involved in biometric standardization through its
Security Forum, which participated in the development
of the BioAPI, and encourages the development of secure
methods of personal authentication. This group has
developed an extension to its Common Data Security
Architecture (CDSA) with a biometric component - Human
Recognition Services Module (HRS). CDSA is a set
of layered security services and a cryptographic framework
that provides the infrastructure for creating crossplatform,
Version 2 – Summer 2008

Section 5 24 Biometric Standards and Best Practices
interoperable, security-enabled applications for clientserver
environments. The biometric component of the
HRS is used in conjunction with other security modules
(i.e., cryptographic, digital certificates, and data libraries)
and is compatible with the BioAPI specification and CB-
EFF.
ASC X9 (Accredited Standard Committee X9) is a nonprofit,
tax-exempt 501(c)(3) organization, formed specifically
“to develop, establish, publish, maintain, and
promote standards for the Financial Services Industry
in order to facilitate delivery of financial products and
services”. It is the only industry-wide forum that brings
together bankers, security professionals, manufacturers,
regulators, associations, consultants, and others in the financial
services industry to address technical issues, find
the best solutions, and codify them as nationally accepted
standards.
ASC X9 has developed and published ANSI X9.84-2003,
Biometrics Management and Security for the Financial
Services Industry. ANSI X9.84-2003 specifies the minimum
security requirements for effective management
of biometric data for the financial services industry and
the security for the collection, distribution, and processing
of biometric data.
ASC X9 is a U.S., ANSI-accredited standards developing
body. It serves as the ANSI TAG to the ISO Technical Committee
68. A subcommittee of the X9 committee known
as SCF Data Security is concerned specifically with the
security and management of biometric data in financial
services, including secure transmission, and storage.
X9 has developed a financial services standard for
biometrics, X9.84, which is increasingly being cited for
use in other industry sectors.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 5 25
Figure 5-2 Biometric Standards Activities. 48
48 Chart from ANSI Homeland Security Standards Panel Biometric Workshop
Report. April 2004. Chart also included in NIST Biometric Standards
Program presentation. Michael D. Hogan and Fernando Podio.
September 2004.
Version 2 – Summer 2008

Section 5 26 Biometric Standards and Best Practices
BioAPI Consortium
The BioAPI Consortium initially formed in 1998 to develop
a widely available and accepted Application Programming
Interface (API) that would serve for various
biometric technologies. The BioAPI was originally conceived
as a multi-level API and was the initial framework
for discussion when three groups - BioAPI, HA-API, and
BAPI - were merged.
The BioAPI specification was approved in Februay 2002
as ANSI INCITS 358-2002 and amended as ANSI INCITS
358-2002/AM 1-2007. It defines an open systems common
Application Programming Interface (API) between
applications and biometric technology modules. The
implementation of compliant solutions allows for:
•
•
•
•
Easy substitution of biometric technologies,
Utilization of biometric technologies across multiple
applications,
Easy integration of multiple biometrics, and
Rapid development of applications.
The development of a single approach specified in this
standard promotes interoperability among applications
and biometric subsystems by defining a generic way of
interfacing with a broad range of biometric technologies.
BioAPI is intended to provide a high-level generic biometric
authentication model suitable for any form of biometric
technology. It covers the basic functions of en-
Version 2 – Summer 2008

Biometric Technology Application Manual Section 5 27
rollment, verification, and identification - including a database
interface to allow a Biometric Service Provider (BSP) to
manage the identification population for optimum performance.
It also provides primitives that allow an application
to manage the capture of samples on a client and the enrollment,
verification, and identification on the server. Bio-
API defines a common method of communication between
a software application and an underlying biometric technology
module. The intent is to provide an open system
specification that supports a broad range of applications
while remaining biometric technology vendor neutral. This
is critical in large-scale deployments of biometrics since it
can assist in enabling:
•
•
•
•
Rapid development of applications employing
biometrics,
Flexible deployment of biometrics across platforms
and operating systems,
Improve ability to exploit price performance advances
in biometrics, and
Enhanced implementation of multiple biometric technologies.
Common Biometric Exchange File Format
(CBEFF)
CBEFF defines a biometric data structure that assures that
different biometric devices and applications can exchange
biometric information efficiently. This common file format
facilitates exchange and interoperability of biometric data
from all modalities of biometrics independent of the particular
vendor that would generate the biometric data. It
Version 2 – Summer 2008

Section 5 28 Biometric Standards and Best Practices
promotes interoperability of biometric application programs
and systems developed by different vendors by allowing
biometric data interchange. Different CBEFF patrons
may define and register their own formats. This allows
other entities to interpret the meaning of the unique data
elements contained within that patron format. It provides
forward compatability for technology improvements, since
there are data fields that refer to the biometric data, version
number, and vendor’s name. CBEFF can accomodate
any biometric technology and can facilitate the exchange
of biometric data between systems. It does not, however,
achieve compatibility among different biometric technologies.
Although Vendor A may be able to read CBEFF compliant
data from Vendor B by looking up Vendor B’s patron
format, it does not mean that Vendor A can use the data to
perform biometric verification or identification.
CBEFF was formalized as NIST Interagency Report (NISTIR)
6529 in 2001 but work continues to further develop the applications
of CBEFF and to have it standardized internationally.
CBEFF is being incorporated in U.S. government and
international requirements 49 such as the technical specifications
drafted by the International Civil Aviation Organization
(ICAO). Some groups are now starting to insist on
CBEFF as part of their own biometrics applications. The biometric
interchange records produced as part of the BioAPI,
for instance, have their own CBEFF patron format. ICAO 50
has also announced that
49 ANSI Homeland Security Standards Panel Biometric Workshop
Report. April 2004.
50 International Civil Aviation Organization (ICAO) has a general
mandate to facilitate safe and economical civil avation. It is a
special agency of the UN and was founded in 1947. Under this
mandate, ICAO has been given specific responsibility to ensure
the standardization of travel documents.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 5 29
biometric data stored on travel documents should be
stored in a CBEFF compliant format.
The Biometric Interoperability, Performance, and Assurance
Working Group, sponsored by NIST and the Biometric
Consortium (NIST/BC Biometric WG) approved an augmented
version of CBEFF called the Common Biometric
Exchange File Format. This revised version includes the
specification of a nested structure that accommodates
biometric data from multiple biometric types, such as
finger, facial, and iris data in the same structure and also
accommodates multiple samples of a specifc biometric
type. It also defines a Product Identifier that allows an
application to determine the biometric data originator
and a CBEFF compatible smart card biometric data structure.
ANSI NIST Standards
ANSI (the American National Standards Institute) serves
as an administrator coordinator of the U.S. private sector
voluntary standardization system. The organization promotes
and facilitates voluntary consensus standards and
conformity assessment systems. ANSI recently founded
a standards panel to identify existing consensus standards
for homeland security and assist the Department
of Homeland Security (DHS) and those sectors requesting
assistance to accelerate the development and adoption
of consensus standards that are critical to homeland
security and national defense. ANSI itself does not develop
American National Standards but provides all interested
U.S. participants with a neutral venue to come
together and work toward common goals.
Version 2 – Summer 2008

Section 5 30 Biometric Standards and Best Practices
ANSI promotes the use of U.S. standards internationally,
advocates U.S. policy and technical positions in international
and regional standards organizations, and encourages
the adoption of international standards as national
standards when they meet the needs of end-users.
NIST (National Institute of Standards and Technology) is
involved in many capacities in biometric standard development
activities, providing technical expertise and
contributions to the creation of drafts and specifications.
The organization provides technical support and activities
that help to implement standards and provides leadership
for the national and international bodies developing
formal biometric standards. Historically, NIST has
been involved in biometric standardization and testing
through its work on fingerprints with the FBI. It is also
co-chair of the Biometric Consortium. NIST provides the
chairperson of both the INCITS M1 Biometrics Technical
Committee and its international couterpart ISO/IEC JTC 1
SC 37 - Biometrics.
Biometric Consortium
The Biometric Consortium is co-chaired by NIST and the
National Security Agency (NSA) and has served as the U.S.
government’s focal point for research, development, test,
evaluation, and application of biometric-based personal
identification and verification technology. The Biometric
Consortium has organized a series of highly successful
annual biometric conferences. It serves as a forum for
the exchange of ideas on biometrics through its electronic
LISTSERV. It has also, through its Biometrics
Version 2 – Summer 2008

Biometric Technology Application Manual Section 5 31
Interoperability, Performance, and Assurance Working
Group, developed the Common Biometric Exchange File
Format (CBEFF) standard. 51
Other Standards
In the area of non-technical standards, the IBIA (International
Biometrics Industry Association) has established
standards for its members, including:
•
•
•
•
•
•
•
Use of biometrics only for legal, ethical, and non-discriminatory
purposes
Highest standards of system integrity and database
security to deter identity theft, protect personal privacy,
and ensure equal rights
Professional courtesy among competitors
Truth in marketing (including accuracy claims)
Demonstration that products are safe, accurate, and
effective
Commitment to principles of free trade
Privacy principles
51 See Common Biometric Exchange File Format (CBEFF)
Version 2 – Summer 2008

Section 5 32 Biometric Standards and Best Practices
Best Practices in Standards Development
Adherence to best practices ensures that some of the
variables involved in biometric accuracy measurement
and reporting are controlled. However, even best practices
can result in accuracy rates that are not indicative of
real-world performance.
Biometric standards are in place to support the widespread
adoption of biometrics. The industry is aware of the need
and importance of standards. Standards activities are expanding
and the standards development efforts are accelerating.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 6 1
Section 6: Testing and Evaluation
Introduction
How and where biometric systems are deployed ultimately
depends on the security requirements, the operational
environment, the cooperation of the user population,
and their performance. But how can one know
whichtechnologies will perform well in any given application,
since performance parameters and estimates
tend to vary from vendor to vendor?
To adequately measure the real-life properties of biometric
systems, it is important to understand the basic attributes
52 of an “ideal” biometric system. They are:
•
•
•
•
Universal: All members of the target user population
should possess the biometric feature or identifier,
such as fingerprints or iris patterns.
Unique: Each biometric reference (the template or
biometric “file” that is extracted from the live image)
should be different from all others in the user population.
Permanent: The biometric references should not
vary under the conditions in which they were collected
(i.e., they are stable over time and independent of
changing medical conditions).
Collectable: The biometric should be readily collect-
52 An Introduction to Evaluating Biometric Systems. P. Jonathan Phillips,
Alvin Martin, C.L. Wilson, Mark Przybocki. NIST. IEEE Computer magazine.
® 2000 IEEE. Used with permission.
Version 2 – Summer 2008

Section 6 2 Testing and Evaluation
•
•
•
able and quantitatively measurable.
Performance: The biometric system should satisfy
end-user requirements with respect to error
rates (False Accept Rate, False Reject Rate, etc.) and
throughput (the processing time required to complete
an authentication).
Acceptance: The biometric system should be acceptable
to all users (recognizing that in certain instances
there may be cultural, religious, or privacy-based
grounds for resistance).
Spoof Resistance: The biometric system should be
resistant to spoofing (i.e., the presentation of the falsified
image of an enrolled user) and countermeasures.
The degree of spoof resistance will be determined
by the sophistication of the biometric device.
Evaluation and testing of biometric systems can quantify
how well biometric systems perform, using the above attributes
to design a testing methodology. Typically, the
most reputable biometric evaluations are designed and
implemented by an independent third-party other than
the biometric vendor or the end-user. Such an organization
would design the evaluation, administer the test,
collect the test data, and analyze the results.
While significant progress has been made in development
of testing standards, the gains have been in general,
broad areas relative to testing such as Principles and
Framework (Ps and Fs), and specifying those Ps and Fs
for the three main areas of testing: Technology, Scenario,
and Operational (see paragraph on M1.5 in Section 5).
There are currently no approved national or international
standards for measuring and reporting the accuracy of
Version 2 – Summer 2008

Biometric Technology Application Manual Section 6 3
specific biometric modalities in areas of testing. Indeed,
despite tremendous effort by the standards development
community, there is not yet agreement on taxonomy
of biometric applications - the closest is an international
Technical Report on modality-specific testing that
attempts to define taxonomy of biometric applications
so that different testing methods can be used where appropriate.
The consequences of using technologies that are not
compliant with standards bodies are twofold:
•
•
The products in question may not interoperate with
the products of other manufacturers.
The products may not interface with other portions
of the application.
Understanding Biometric System
Performance
As the maturity of biometric technology has evolved to
meet increased security infrastructure requirements, a
number of groups are working to develop standardized
technical factors that describe and assess the performance
of biometric systems. For these vital technologies
to realize their full potential for domestic and international
security, it is critically important that a baseline of
performance standards for technical operation and supporting
processes be established and measured.
No single biometric technology will universally satisfy
every application: a biometric system that works well
for one application may not be the best choice for an-
Version 2 – Summer 2008

Section 6 4 Testing and Evaluation
other. As governments and businesses around the world
increasingly rely on biometrics to help secure access,
transactions, and identity, there is an equally increasing
demand for accurate and unbiased evaluations of
biometrics. Such testing can provide accurate metrics
on how the technology will perform in the real world,
thus alleviating unfounded concerns about operational
performance. This is particularly so after the September
11, 2001, terrorist attacks in the Unites States, in which
identity deception played such a prominent role. Various
governments have since implemented biometric identification
systems for documents such as passports, visas,
and national ID cards. These programs face the important
task of evaluating which biometrics are best suited
for their particular application, while also having to consider
which will best integrate and collaborate with other
systems. Since no single biometric technology will be
suitable for all applications, organizations and programs
are more dependent on unbiased and reliable testing
and evaluation to help them select the best biometric
for their specific requirement. This demand is being met
in a variety of ways, as government agencies, university
research labs, for-profit, and nonprofit companies have
introduced testing capabilities at various levels.
Until recently, commercial vendors and biometric consultants
have performed evaluations of biometric devices
and systems. Such vendor-sponsored testing alone
may fail to provide adequate information to the end-user
because the goals of the two parties are quite different.
The vendor conducts tests to improve their devices and
uses the results to sell products. End-users seek test results
that will aid them in selecting a device that best fits
their needs, with a focus that is specific to their application
and enrollee group(s).
Version 2 – Summer 2008

Biometric Technology Application Manual Section 6 5
According to Dr. James Wayman, a recognized authority
in biometrics and related testing, there are three major
difficulties in testing biometric devices and systems. 53
1.
2.
3.
The dependence of measured error rates on the application
classification.
The need for a large test population that adequately
models the target population.
The necessity for a time delay between enrollment
and testing.
While thousands of live images may have been acquired
to test the distinctiveness of a biometric, the good news
is that these large sample sizes enable researchers to
draw conclusions about uniqueness that are statistically
significant. Other factors may have to be built into testing
methodology, such as accommodating the fact that
biometric features can “age” or change over time. Vendors
rarely conduct tests of this scope and scale, since
any effort to account for all variables and acquire enough
samples to be credible becomes prohibitively challenging
and costly. Independent testing organizations can
overcome some of these challenges by drawing upon
a larger data set for testing, either by using simulations
from stored biometric samples or by relying on an existing
pool of test subjects.
Comparison of Types of Testing
Over time, three important types of testing have
53 Interview, June 2005.
Version 2 – Summer 2008

Section 6 6 Testing and Evaluation
emerged as the primary approaches to biometric
product testing: technology testing (algorithm
verification), scenario testing, and operational testing. 54
Technology Testing
Technology testing is concerned with understanding
and comparing the software techniques that are used
to acquire, process, and compare biometric data. The
main focus is on the pattern-matching technique that is
used for comparing biometric data; the process of using
software algorithms to read and derive a pattern from
the raw biometric image and store the result in a way to
make it subject to reliable comparison later. Algorithm
tests study different classification and matching
methods with the goal of evaluating them on efficiency,
speed, and performance. The evaluation compares
competing algorithms from a single type of technology,
carried out on a standardized database collected by a
universal sensor, with the results determining the relative
effectiveness of the tested algorithms. Although these
tests are useful and repeatable, the results generally
do not show real-life performance under actual
field conditions with real enrollee/user populations.
In algorithm evaluations, a database of biometric
references is provided to test participants in
advance to familiarize themselves with the data for
54 Army Biometric Applications: Identifying and Addressing SocioCultural
Concerns. John D. Woodward, Katharine W. Webb, Elaine M. Newton,
Melissa Bradley, David Rubenson. 2001. www.rand.org Santa Monica,
CA: RAND Corporation. Used with permission. .
Version 2 – Summer 2008

Biometric Technology Application Manual Section 6 7
developmental or tuning purposes. The actual test
data is conducted on a new, sequestered portion of
the database. The use of fixed databases ensures the
same test will be given to all participants. Because the
database is fixed, the results of technology tests are
repeatable. Offline processing of data is carried out
in a laboratory environment. For example, a testing
facility will take fingerprint samples from 200 people.
Vendors participating in the test would be given copies
of 50 of these prints to calibrate and fine-tune their
equipment. Actual testing would use the remaining
150 samples to compute various performance values.
The purpose of technical performance testing is to
determine the range of error and throughput rates,
with the goal of understanding and predicting realworld
error and throughput performance of biometric
devices and systems. During algorithm or technology
testing, families of end-to-end system-level tests or
tests of complete software products and readers can
be performed. These tests focus on determining the
operating characteristics of the technology and are
designed to compare one or more systems under
controlled conditions against a similar set of inputs.
Evaluations of biometric systems generally proceed
from the general technology to the specific application
of that technology. The next level of testing (Scenario)
determines which applications or scenarios need to be
Version 2 – Summer 2008

Section 6 8 Testing and Evaluation
evaluated.
Scenario Testing
Scenario testing is used to test the performance of
biometric systems in an environment that models
real-world applications to evaluate and compare
performance across biometric devices. In contrast to
algorithm or technology evaluation, each system in
scenario testing has its own acquisition sensor and
therefore receives different data inputs than those tested
in technology (algorithm) evaluation. In other words,
a scenario test determines how well the technology
works in the context of the proposed application.
Scenario evaluation helps an end-user decide which
biometric device will work best for his/her needs.
It is important that data collection for all tested systems in
scenario evaluations come from the same environment
and same population. Because it is difficult to precisely
control different scenario model and field conditions, test
results are only considered repeatable under identical
control variables and environment. Depending upon the
storage capabilities of the device, both on-and off-line
transactions may be combined in scenario evaluations.
Operational Testing
Operational testing is typically used to evaluate pilot
programs, going beyond scenario testing to determine
the performance of a complete biometric system in a
specific application (field) environment with a specific
Version 2 – Summer 2008

Biometric Technology Application Manual Section 6 9
target population. It helps to determine how the system
will perform as a whole based on these factors. Off-line
testing may or may not be possible, depending upon the
storage capabilities of the device. Overall, test results
from operational evaluations are not repeatable because
of the range of unknown and undocumented differences
between operating environments.
An operational evaluation tests a live system deployed
in its native environment for its intended application. It
differs from a scenario test in that the population and
environment are not controlled. One specific distinction
between the two is that an imposter’s presence would
not generally be known in an operational test, making it
impossible to quantify the probability of false acceptance.
During operational testing, system vulnerability can
also be performed. Vulnerability tests have the goal of
understanding how systems can be defeated or how
they fail on their own.
Errors that can potentially affect biometric technology
performance can come from four different sources. 55
55 Army Biometric Applications: Identifying and Addressing SocioCultural
Concerns. John D. Woodward, Katharine W. Webb, Elain M. Newton,
Melissa Bradley, David Rubenson. 2001. www.rand.org Santa Monica,
CA: RAND Corporation. Used with permission.
Version 2 – Summer 2008

Section 6 10 Testing and Evaluation
1. Variations in the biometric pattern itself
2. Variations in the way users present the biometric
during live verification or identification attempts.
3. Variations in the way the sensor reads the biometric
trait.
4. Variations in the transmission process (including noise
introduced by compression and expansion).
Each of these factors is typically related to a specific
application and a single test environment cannot predict
potential error rates for all applications. Therefore, results
from laboratory testing (whether vendor or otherwise)
are highly dependent on the test population and are
not necessarily a useful predictor of errors in real-world
uses.
The following table summarizes the differences between
the types of tests and the treatment of various factors.
Version 2 – Summer 2008

COMPARISON OF ALGORITHM, SCENARIO, AND OPERATIONAL TESTING 56
Type of Test
Factor Algorithm Scenario Operational
Subject of testing
Biometric component (matching or
Biometric system Biometric system
extraction algorithm, sensor)
Ground truth
Known, test subject to data collection
Known, test subject to data collection
Unknown
errors and intersections in merged data
errors and tester failure to note un-
sets
wanted test subject behavior
Uncontrolled
Controlled (unless test subject behavior
is an independent variable)
Not applicable during testing. May be
known to be controlled when biometric
data recorded, otherwise considered
to be uncontrolled.
Subject behavior controlled
by experimenter
No Maybe Yes
Subject has real-time
feedback of the result of
attempt
Not repeatable
Repeatability of results Repeatable Quasi-repeatable (if test scenario and
population controlled)
Controlled and/or recorded Not controlled, ideally
recorded
May be known to be controlled when
biometric data recorded, otherwise
considered to be uncontrolled
Control of physical
environment
56 Adapted from INCITS/M1-04-0570 Project INCITS 1602-D Part 3: Scenario Testing.

COMPARISON OF ALGORITHM, SCENARIO, AND OPERATIONAL TESTING 56
Type of Test
Factor Algorithm Scenario Operational
Recorded Recorded during
enrollment. May be
recorded during verification/identification
Not applicable during test. May
be recorded when biometric data
recorded.
Subject interaction
recorded
Externally consistent
Results Internally consistent Compromise between internal and
external consistency
Measure performance
in an operational environment.
Compare biometric systems; determine
critical performance factors.
Measure simulated performance.
Comparison of biometric components
or versions of components (e.g., matching
or extraction algorithms or sensors).
Determine critical performance.
Typical results reported
Operational FRR. Operational
FAR.
Predicted end-to-end throughput,
FMR, FNMR. FTA, FTER. End-to-end
throughput.
Most performance metrics. Not endto-end
throughput. Most error rates.
Good for large-scale identification
system performance where difficult to
assemble large test crew.
Typical metrics
Appropriate test database, e.g., gath-
Operational, instrumented system Operational, instruered
with one or more sensors, the
mented system;
identity of which may or may not be
typically only decision
known
rates are available
Human test population Recorded Live Live
Constraints

Biometric Technology Application Manual Section 6 13
ROC, DET, and CMC Curves
When presenting test results, the matching or decisionmaking
performance of biometric systems are graphically
represented using Receiver Operating Characteristics
(ROC), Detection of Error Trade-off (DET), or Cumulative
Match Characteristic (CMC) curves.
A ROC curve is a plot of the rate of “false matches” (attempts
by an imposter that were accepted by the system on the
x-axis against the corresponding rate of “true matches” (or
acceptances of a genuine person) plotted on the y-axis. 57
ROC curves are threshold-independent, which allow for
comparison of different systems under similar conditions,
or the same system under differing conditions.
Figure 6-1 Example ROC curve. 58
57 See “Performance Measures” below for an explanation of False Acceptance
Rates, False Reject Rates, and other important measurements of biometric
performance.
58 Chart from Best Practices in Testing and Reporting Performance of
Biometric Devices. Tony Mansfield and James Wayman. August 2002. Used
with permission.
Version 2 – Summer 2008

Section 6 14 Testing and Evaluation
Another means of plotting test results is a DET curve, a
modified ROC curve that plots error rates on both axes
(false matches on the x-axis and false rejections on the
y-axis).
Figure 6-2 Example DET curve. 59
A third type of results graph is a Cumulative Match Characteristic
(CMC) curve, which provides a graphical presentation
of identification task test results and plots rank
values on the x-axis with the corresponding probability
of correct identification or verification at or below that
rank on the y-axis.
59 Chart from Best Practices in Testing and Reporting Performance of Biometric
Devices. Tony Mansfield and James Wayman. August 2002. Used
with permission.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 6 15
Figure 6-3 Example CMC curve. 60
In the full scope of biometric testing, each of these types
of tests has its utility, with some more oriented to the
developer and manufacturer (technology) and others to
the user. In practice, all three approaches provide useful
information on how the device and system will perform
and assist in the selection process. Primary examples of
how data from the curves are used include:
1. Determining optimal settings for a particular device to
achieve the desired balance between false non-matches
and false acceptances
2. Determining which device achieves the desired mix
for both throughput considerations (minimizing false
non-matches) and security considerations (deciding how
resistant to false acceptances the application must be).
60 Chart from Face Recognition Vendor Test 2002 – Evaluation Report
March 2003. DARPA, NIST, DoD Counterdrug Technology Development
Program Office, and NAVSEA Crane Division.
Version 2 – Summer 2008

Section 6 16 Testing and Evaluation
Measuring Biometric Performance
Historically, biometric performance testing has focused
on biometric systems’ technical (algorithmic) performance
or error rates (false match and false non-match).
Various types of algorithm verification/technical performance
testing can be viewed as measurement, comparison,
prediction, and qualification.
Additional parameters may also be considered when
evaluating the operational performance of biometric
components and systems. These include:
•
•
•
•
•
Reliability, availability, and maintainability
Security, including vulnerability to spoofing
Human factors, including user acceptance
Cost/benefit in comparison to existing security processes
and systems, and
Privacy regulation compliance.
Security tests, including data security and anti-spoofing
tests, are increasingly being incorporated into biometric
evaluations. Interoperability or plug-and-play tests
are other important variations used to evaluate when
assessing system performance. In a broad sense, the
performance of biometric systems for identification and
verification is a function of:
61 Intentionally fooling a biometric device or system by employing the
falsified biometric image of an authorized user.
61
Version 2 – Summer 2008

Biometric Technology Application Manual Section 6 17
•
•
The strength of the underlying biometric
The quality and information content of the input,
and
62
• Configuration and architecture of the system.
Factors contributing to the strength of the biometric being
measured include:
•
•
•
•
•
Individual variability
Population variability
Accuracy of measurement
Repeatability of measurement, and
Selectivity of the biometric.
The performance of biometric systems can be generally
described as a function of accuracy and throughput. Error
rates, the nature of failures and their costs, and system
vulnerabilities contribute to an overall assessment
of system performance. Additionally, while most of the
performance metrics tend to focus at the biometric device
level, it is important to understand that biometric
devices are components of larger systems, which impose
external variables and interoperability issues that
impact biometric system performance in the field environment.
62 Biometric Principles, Applications, Opportunities and Issues, biometrics
2004 presentation. Dr. Craig Arndt, Mitretek Systems. London, UK.
Version 2 – Summer 2008

Section 6 18 Testing and Evaluation
Perhaps the greatest source of variability is the biometric-contributing
subject itself: the human being. Human
factors, such as aging, medical condition, degree of
sobriety, emotional state, etc., present significant issues
that impact biometric system performance. There is a
recognized need for applied research and understanding
of human factors and other environmental and operation
conditions impacting fielded performance in
biometric systems deployment. The scale or volume of
biometric systems presents additional problems that
impact system performance considered outside of the
scope of device testing. User acceptance and applications
specific limitations in the biometric deployment
environment also impose additional factors which affect
overall operational performance.
Performance Measures
The following performance metrics are generally applicable
to all biometric devices and are defined in the testing
and reporting best practices document developed
by Mansfield and Wayman. 63 These performance metrics
include:
• False Accept Rate (FAR) : This is the expected proportion
of transactions with wrongful claims of identity
(in a positive ID system) or non-identity (in a negative
ID system) that are incorrectly confirmed. A
transaction may consist of one or more wrongful attempts
dependent upon the decision policy. A false
63 Best Practices in Testing and Reporting Performance of Biometric
Devices. Version 2.01, Biometrics Working Group. Tony Mansfield and
James Wayman. August 2002. Used with permission
Version 2 – Summer 2008

Biometric Technology Application Manual Section 6 19
acceptance is often referred to in the mathematical
literature as a “Type II” error.
• False Reject Rate (FRR) : This is the expected proportion
of transactions with truthful claims of identity
(in a positive ID system) or non-identity (in a negative
ID system) that are incorrectly denied. A transaction
may consist of one or more truthful attempts dependent
upon the decision policy. A false rejection is
often referred to in the mathematical literature as a
“Type I” error.
• Matching Errors:
Matching errors such as False
Match Rate (FMR) and False Non-Match Rate (FNMR)
refer to matching algorithm errors for a single comparison
of a submitted sample against a single enrolled
reference/model.
The FMR is the expected probability that a sample
will be falsely declared to match a single randomly
selected “non-self” (genetically different) reference.
(A FMR is sometimes referred to as a “false
positive”).
The FNMR is the expected probability that a sample
will be falsely declared not to match a reference
of the same measure by the same user. (A FNMR is
sometimes called a “false negative”).
• Failure to Enroll:
The Failure to Enroll (FTE) rate is
the expected proportion of the population that is unable
to enroll their biometric in order to create a reference
of sufficient quality for subsequent automated
operation. This may occur for a number of reasons.
Persons with disabilities, for example, may be unable
to present the required biometric feature, or provide
Version 2 – Summer 2008

Section 6 20 Testing and Evaluation
an image of sufficient quality at time of enrollment. In
some cases, the biometric trait may be less distinctive
and prevent individuals from reliably matching the
reference in attempts to confirm the enrollment is usable.
In this sense, the FTE is also dependent upon the
particular enrollment policy as to allowable attempts.
• Failure to Acquire:
This is the expected proportion
of transactions for which the system is unable to capture
or locate an image or signal of sufficient quality
for matching purposes. This rate may be dependent
upon adjustable thresholds for image quality.
• Transaction or Throughput Times: Transaction
times can be characterized by the theoretical time it
takes to match a reference sample to the live reference
presented. It can be applied in the context of
both identification and verification systems. In both
cases, the theoretical rate won’t necessarily represent
real-world throughput rates, due to the wide range
of operational variables that impact transaction-processing
speed in live scenarios.
The Qualified Products List
A step in the direction for more standardized testing is
the emergence of Qualified Product Lists (QPL) of biometric
products that have been subjected to independent
and objective testing. The QPL concept was initiated
and first commercialized by NBSP and is now used
by the community to describe the process of identifying
those biometric products that have successfully passed
the thresholds for evaluating performance against a series
of published Common Performance Standards (CPS).
Version 2 – Summer 2008

Biometric Technology Application Manual Section 6 21
QPL’s are not attempts to describe how well a biometric
system performs, but whether it does or does not meet
a specified level of performance. What that level is can
be an industry consensus standard, or it can be a level
established by a potential user or agency. The important
issue is that it be publicly known and reported openly as
part of the evaluation. The NBSP/BSI QPL test program
consists of performance testing and, if applicable, standards
conformance testing.
The NBSP/BSI QPL Performance Test
This test utilizes a comprehensive scenario testing capability
to evaluate the ability of a biometric device to
operate against a set of performance levels, also known
as Common performance Standards (CPS). In the NBSP
QPL, each biometric device is tested during a six to eight
week period by at least 200 NBSP trained operators (test
participants). During this period, each device is activated
a minimum of 10,000 times. The performance measures
are determined by actual activations as opposed to
theoretical computer analyses. The four main CPS criteria
against which all products are tested are:
•
•
•
•
False Accept Rate
False Reject Rate + Failure to Acquire Rate
Failure to Enroll Rate
Throughput Rate
Version 2 – Summer 2008

Section 6 22 Testing and Evaluation
Demographics
Demographics is a key consideration accounted for in
NBSP/BSI’s enhanced scenario test procedures. The common
aspects of sample demographics are gender, age,
and ethnicity. Samples are normally drawn in a manner
that forms a pool of people whose demographics closely
resembles the total target population. Not only should
the sample reflect the age distribution profile of the target
population, but the age distribution by gender and
ethnicity.
Demographic considerations may also include a requirement
for finer gradations of ethnicity. The three major
categories of racial origins (European, Asian, and African)
are often subdivided in so many ways that a sample
that attempts to accurately reflect the multi-dimensional
profile of the target population could become unmanageable.
Trade-offs are often required between the degree
of precision in matching the desired profile and the
practical resource availability for conducting the test program.
Sample Size
The adequacy of a sample size is not a linear function. That
is, although we know that it is difficult to draw meaningful
conclusions with too few subjects in the sample, there is
often an upper limit where increasing the size of the sample
does not lead to a comparable increase in the utility of
the findings, depending on the nature of the study. Statistically,
a sample of 13 is about as small as practical for
any kind of study. At the other end, national opinion polling
and other studies yield surprisingly accurate assess-
Version 2 – Summer 2008

Biometric Technology Application Manual Section 6 23
ments with as few as 600 to 1800 respondents. The problem
with computing adequate sample sizes in advance
of testing is that the equations use the mean value of the
test and a measure of the distribution of deviations about
the mean. Until the test is conducted, however, these
two values are unknowns. In their place, estimates of the
likely mean and deviation values are used. Consequently,
the accuracy of the sample statistics depends upon one’s
ability to make correct estimates.
BSI addresses these issues by maintaining a volunteer
group of 500+ operators. Demographic information can
be modeled after the client’s required user group to create
a more accurate test scenario.
An important aspect of the QPL as administered by NBSP/
BSI is limiting disclosure that a product has not passed
the test to the submitting vendor. While it is important
that the vendor understand the basis for a product’s failure
in the test process, it does not serve the objectivity
of the process to indirectly participate in marketing or
competitive advertising efforts based only on QPL performance.
A product can be re-submitted after improvement,
and buyers are protected by simply requiring that
any product proposed for use in their application MUST
be listed on the QPL.
The NBSP/BSI QPL Conformance Test
This test evaluates devices to determine conformance
with relevant published ISO/IEC standards. Generally,
conformance testing is conducted by using conformance
test suites designed for specific standards. Such
evaluations will be expanded to include additional
Version 2 – Summer 2008

Section 6 24 Testing and Evaluation
standards as the software modules are written and field
tested. NBSP/BSI currently tests against the following
standards are required.
•
•
•
•
•
•
•
•
•
•
•
INCITS 377-2004
INCITS 378-2004
ISO 19794-2-2005
INCITS 379-2004
INCITS 396-2005
INCITS 395-2005
ILO SID
ICAO LDS 1.7
BioAPI
INCITS 381-2004
INCITS 385-2004
The Transportation Security Administration (TSA) recently
initiated its own version of a QPL testing program for
biometric products to be used in airports. The TSA QPL
testing ensures that all of the devices that make it on the
list have passed a minimum level of capability. Testing includes
the use of more than 250 subjects, representative
of a typical airport population in gender, age, and occupation.
The subjects visit multiple times over a period of
six weeks to best simulate a real use pattern for an indoor
Version 2 – Summer 2008

Biometric Technology Application Manual Section 6 25
application. At the time of this writing, U.S. Department
of Defence procurements are calling for the implementation
of a QPL for DoD products.
The end-user benefits of a biometric Qualified Product
List include:
1.
2.
3.
4.
A catalog of commercially available products that
meets minimum standards for use in civil infrastructure
applications
A significant reduction in the need for duplicative pilot
testing for general use
Acceleration of the acquisition process by identifying
a field of suitable products that met QPL thresholds
An opportunity for vendors’ products in multiple
modalities, with different features, to demonstrate
general or common performance capabilities.
Other Types of Testing:
Vulnerability Testing
While not always the case, it is generally accepted that a
biometric system is most vulnerable at the reader level,
as this is the primary interaction point for users and the
critical function where the biometric feature is presented
to the system. Vulnerabilities or attacks that a biometric
system could face include, but are not limited to:
•
Impersonation attempts (disguises) or spoofing (artifact
substitution for live feature)
Version 2 – Summer 2008

Section 6 26 Testing and Evaluation
•
•
•
Database attacks (exchanging or corrupting references)
Tampering with threshold settings
Network-based attacks
In its most basic form, vulnerability testing is the practice
of finding weaknesses and exploiting them. These tests
also involve statistical studies to assess risks and estimate
the ultimate “strength of function” for a given system.
“Strength of function” arguments are statistical models
developed to define the attack space for the identifier. 64
This is an attempt to assess the probability that a suitable
identifier can be generated to match another identifier in
the population that is sufficiently similar (a false accept).
It is important that product “vulnerabilities” be defined
in the context of the operating environment and proper
usage within the design parameters of the product. For
example, it serves little purpose to employ a biometric
in an unmonitored setting and give an attacker an unlimited
number of attempts to defeat the system, when
the system is not intended or designed for remote and
unmonitored use. Most biometric products would fit in
this category today. To show that a biometric product is
vulnerable to such repetitive attacks does not mean the
product is not useful when properly employed.
64 From Biometrics: Identity Assurance in the Information Age. John D.
Woodward, Jr. McGraw-Hill. 2003. Pg. 193. Used with permission.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 6 27
Security Testing
While vulnerability testing focuses on the primary weaknesses
in a specific biometric to improve its design and
performance, there is a case to be made for a more generic
approach to testing for security in the operation of
biometric-based identity management systems. Such
tests can lead to development of countermeasures
against both common and developing threats to system
effectiveness and reliability. Expressed as standard or
“best practice” methods, manufacturers can be expected
to adopt such findings in the design, development,
and production of new biometric products. Conversely,
buyers should be aware of different levels of security inherent
in a product to determine suitability for critical
applications. For example, it can be expected that a biometric
controlling entry into a nuclear site might require
a higher level of intrinsic security design than one used
for a commercial purchase.
Progress in this area of testing has been relatively slow.
Initiatives to date include:
•
•
•
The SC 27 Subcommittee for Information Technology
Security Techniques is developing WD 19792,
a Framework for security evaluation and testing of
biometric systems.
A Biometric Verification Mode Protection Profile for
Medium Robustness Environments has been validated.
This incorporates a list of security requirements
and functionality to be addressed in any test.
There is some level of interest in including biometric
technology in the Common Criteria program, howev-
Version 2 – Summer 2008

Section 6 28 Testing and Evaluation
er, that process is arduous, time consuming and costly
to manufacturers and would need to be streamlined
to justify and gain more widespread support. A
draft document described as a Biometric Evaluation
Methodology Supplement is reportedly under development,
which will hopefully meet the need while
addressing concerns regarding the process.
Interoperability Testing
The increasing use of multi-modal biometric systems
demands an acceleration of biometric interoperability.
Interoperability testing assesses the ability to exchange
and use information on a single system in a multi-modal
environment, as well as the interface of the biometric
component with the holistic security program.
Considering the broad mission requirements for biometric
technology, the scope of the threat against its effective
use and the continuing state of technology development;
it is prudent for BSI and any testing activity to
embrace and support all types of biometric testing. The
obvious objectives are to assist the industry in producing
the best products that they can and enable the user to
have confidence in integrating those products into an effective
security program.
ISO/IEC 17025 Accreditation
To assure the quality and consistency of its testing operations
and processes BSI underwent the exhaustive procedures
required for ISO/IEC 17025 [General Requirements
for Competence of Testing and Calibration Laboratories]
Accreditation. As of this printing, BSI is the only labora-
Version 2 – Summer 2008

Biometric Technology Application Manual Section 6 29
tory exclusively focused on biometrics to have received
this accreditation. Requirements of this lab-testing standard
include:
1.
2.
3.
4.
Accounting for factors affecting the reliability of the
tests
–
–
–
–
Human factors
Test method
Environmental Conditions
Sampling methods
Retention of Records
–
–
Original observations
Derived data
Estimating uncertainty of measurement
–
Degree of rigor depends upon the test environment
Formatting of reports
–
–
–
Accommodate each type of test
Minimize possibility of misunderstanding or misuse
Recommendation of the statement “this test report
shall not be reproduced except in full without
approval of this laboratory.”
Version 2 – Summer 2008

Section 6 30 Testing and Evaluation
Such certifications provide the organizations with:
1.
2.
3.
4.
Internal operational efficiency
Lower costs because of fewer nonconforming products,
less rework, streamlined processes and fewer
mistakes
Well defined and documented procedures to improve
the consistency of output
Quality that is constantly measured
Other Testing Considerations
Scalability and Usability
Scalability is most often considered from the perspective
of the technical infrastructure. A highly scalable biometric
is one that could be deployed effectively to identify
individuals in a large population without incurring unacceptable
error rates or throughput times. A biometric
that is poorly scalable is one that could not handle large
databases without incurring unacceptable error rates.
The scalability of a biometric is tied to the basic individuality
or selectiveness of the biometric itself, technical performance
(error rates) and degree of robustness, and efficiency
of the algorithms.
Scalability should also be considered from a human
point of view. Does the application present a closed environment
with relatively homogenous user population,
Version 2 – Summer 2008

Biometric Technology Application Manual Section 6 31
or does the application need to scale to accommodate a
user base (such as the prospective size of a national population)?
If the system does not scale well, enrollment
and authentication processes are likely to become bothersome.
This could lead to the frequent need for manual
intervention and exception handling, which can be a
detriment to system usability.
Other factors that affect usability include the intuitiveness
of the system interface with the user community, as
well as questions such as:
•
•
•
Is the transaction an inviting and positive experience?
Is consistent instruction and feedback built into the
process?
Is the performance reliable for operational staff as
well as users?
It is important to note that if users do not accept the
technology in the proposed application, the technology
will fall short of its intended benefits. Sometimes usability
factors can be more important than raw performance
for certain applications, especially if the application has
high throughput requirements and a diverse, unpredictable
user population. Incorporating human factors and
ergonomic considerations into the design can greatly
improve the usability of biometric systems and enhance
performance.
Compliance with Standards
There is a recognized need in the biometrics community
for a process for users and developers to determine
Version 2 – Summer 2008

Section 6 32 Testing and Evaluation
whether an implementation conforms to a biometric standard.
Over the years NIST has partnered with the industry
and numerous federal agencies in groups to accelerate
national and international biometric standardization.
NIST is currently leading the change for conformancetesting
clauses in the developing standard testing methodologies
through standards bodies, such as the International
Committee for Information Technology Standards
(INCITS) M1 committee, and ISO SC 37 WG5 (see Section
5 for additional details on standards development). This
involves leading efforts to harmonize testing by different
organizations, such as the development of equivalent
test tools to ensure consistent test results.
Conformance testing determines whether a biometric
system conforms to a designated standard by assessing
if an implementation of the system faithfully implements
the technical specifications of the standard.
Users and system developers need to determine system
interoperability for biometric data. Interoperability testing
consists of the testing of one implementation (product,
system) with another to establish that they can work
together properly.
The first projects for development of conformance and
interoperability testing are in the area of technical interfaces
(e.g., BioAPI and CBEFF). These include development
of conformance testing standards, which will determine
how a test laboratory determines conformance
of a product to the Bio API standard, such as:
•
•
ISO 24709-1 Conformance Testing for BioAPI Methods
and Procedures (published).
ISO 24709-2 Test Assertions for Biometric Service Pro-
Version 2 – Summer 2008

Biometric Technology Application Manual Section 6 33
•
•
•
viders (published).
ISO 24709-3 Test Assertions for BioAPI Frameworks
(under development).
Conformance Testing Methodology for INCITS
358:2002 BioAPI Specification, (ANSI/INCITS
429-2007) (published).
Information Technology - Conformance Testing
Methodology Standard for Patron Formats Conforming
to INCITS 398-200x (Revision of INCITS 398:2005),
Information Technology - Common Biometric Exchange
File Format (CBEFF) (under development).
Although the development of biometric standards and
protocols is dealt with in more detail in Section 5, it should
be noted that national and international standards committees
are working to develop biometric testing standards.
The caveat on currency in Section 5 applies to test
and evaluation standards, and the most current information
can be found on the NBSP Web site at: http://www.
nationalbiometric.org/ and at http://www.biometricsinternational.org.
Test and evaluation projects currently
underway include:
•
•
•
Interoperability Performance Testing - specifying
how to conduct performance-based interoperability
testing for biometric systems
Scenario Evaluation Biometric Access Control Systems
- defining how to test biometric performance
in an access control system
Testing Methodologies for Operational Evaluation -
giving specific details and requirements for conduct-
Version 2 – Summer 2008

Section 6 34 Testing and Evaluation
•
•
•
•
•
ing an operational test
Machine Readable Test Data for Biometric Testing
and Reporting - defining a machine readable format
for biometric test reports and test databases to facilitate
automated evaluation of biometric products
and comparison of test results
Security Evaluation of Biometrics - providing a framework
for evaluating security of biometric technology
when used for physical or logical access
Framework for Testing and Evaluation of Biometric
Systems for Access Control - specifying standards for
testing performance of biometric access control systems
Framework for Testing Methodologies for Specific
Environments of Biometric Systems - describing
modifications to general test guidelines required for
testing of specific biometric modalities in specific environments
Statistical methods for decision making - dealing
with the final two stages of the biometric testing lifecycle
Testing Protocols
“A review of biometric device testing over the last two decades
shows a wide variety of conflicting and contradictory
testing protocols. Even single organizations produce multiple
tests, each using a different test method. The variety
of protocols and reporting methods hinders the comparison
and proper understanding of test results. Test protocols
Version 2 – Summer 2008

Biometric Technology Application Manual Section 6 35
have varied not only because test goals and available data
are different from one test to the next, but also because
there was not standard for protocol creation.” 65
A number of issues can be identified that have contributed
to the problems pointed out by Dr. Mansfield.
Different metrics have been used for measuring and reporting
biometric systems performance. These variances
include the accuracy metrics employed such as FAR
and FRR; a measure of the “identification rate”; and the
extent of detail reported upon. Another variability issue
is whether the tests measure and/or report performance
at a single point or utilize a range of performance
presented in ROC and DET curves. Another disparity is
whether one reports differences from measuring and/or
reporting a single point or from multiple attempts at verification.
Additional metrics that can be applied include
speed of acquisition and degree of user habituation.
Other reported testing problems include unscientific approaches,
such as using developmental data and results
derived from test data sets that are too small for inferring
the resulting performance claims. Additional issues have
been raised by cases where the wrong data was actually
saved and instances where changes made during the
test had unforeseen impact upon the test results.
The international community recognizes the need for
developing standards that will provide for common metrics
in order for a baseline of biometric evaluations to be
compared. Also important is a standardization method
of presentation, so users can rely upon the results to be
65 Biometrics 2004 Delegate Manual. Tony Mansfield, Principal Research
Scientist, National Physical Laboratory, UK.
Version 2 – Summer 2008

Section 6 36 Testing and Evaluation
formatted in a way that communicates common parameters.
Full reporting of test conditions will be required in
order that test results and their applicability to specific
scenarios will be clear. Underlying the standards is a call
for good scientific testing practice, which is unbiased, repeatable,
minimizes the level of effort required for performance
certainty, and detects or prevents manipulation
of results.
Evaluation Protocols
An evaluation protocol determines how a biometric system
is tested, data is selected, and performance is measured.
The most successful and valuable evaluations
are administered by an independent third-party that
uses biometric references that have not previously been
“seen” by the system. This is an important differentiation
because if the system is not tested with previously “unseen”
biometric references, the system is merely being
trained to function using a particular set of data.
For evaluation results and recommendations to be broadly
accepted by the marketplace, procedures, protocols,
results, and samples of the data used in testing should be
published. The evaluation and testing should also be sufficiently
documented and detailed so others can repeat
the evaluation, if necessary, to see if similar or disparate
results are achieved.
Borrowing from the children’s take Goldilocks and the
Three Bears, the three bears principle of “just right” has
often been used to describe biometric testing. If products
are to be tested, the most informative and valuable
tests to run are those that are neither too easy nor too
hard. The tests should be somewhere in the middle, or
Version 2 – Summer 2008

Biometric Technology Application Manual Section 6 37
“just right.” If a test is too easy, all products will pass. If the
test is too hard, no products will pass. The desired “just
right” medium point is achieved when test objectives are
chosen to produce a range of results so that clear distinction
can be drawn between the performance of various
products and technologies. Here again, the influence of
the operating environment and reasonable expectations
of performance in that environment should determine
what is “just right.”
Technology and Product Evaluations
Fingerprint Vendor Technology Evaluation 2003 66
In 2003, NIST conducted a technology evaluation for fingerprint
systems that was sponsored by the Fingerprint
Matching Division of the U.S. Department of Justice. The
Fingerprint Vendor Technology Evaluation (FpVTE) was
an accuracy evaluation of fingerprint matching, identification
and verification systems. The purpose was
to identify the most accurate fingerprint matching systems
and determine the effect of a number of variables
on matcher accuracy. Eighteen companies participated
in the FPVTE 2003, submitting a total of 34 systems for
evaluation.
In the small-scale test, single image comparisons of fingerprints
were matched one million times against a
66 Fingerprint Vendor Technology Evaluation 2003 - Analysis Report
(FpVTE 2003). Charles Wilson, R. Austin Hicklin, Harold Korves, Bradford
Ulery, Melissa Zoepfl, Mike Bone, Patrick Grother, Ross Michaels, Steve
Otto, and Craig Watson. NIST, Mitretek, and NAVSEA Crane Division.
Version 2 – Summer 2008

Section 6 38 Testing and Evaluation
1,000-fingerprint database. In the medium-scale test,
single image comparisons were matched against a
10,000-fingerprint database. And in the large-scale test,
set-to-set comparisons were matched more than a billion
times against a 64,000-fingerprint database. Accuracy
rates were evaluated relative to the size of the system.
The FpVTE project was launched as part of the U.S. PA-
TRIOT Act to certify biometric technologies that may be
used in the U.S. Visitor and Immigrant Status Indicator
Technology (US-VISIT) Program. The test was co-sponsored
by the U.S. Department of Justice, the FBI, DHS,
the U.S. Immigration Office, as well as the EU Commission
service, police departments in Canada, and the U.K.
Police Information Technology Organization (PTO). For
further information and data on this analysis, see www.
fpvte.nist.gov.
Face Recognition Vendor Test 2005 67
NIST is also sponsoring technology evaluations in the
area of facial recognition.
The Face Recognition Vendor Test (FRVT 2005) is the latest
in a series of large-scale independent evaluations for
face recognition systems. Previous evaluations in the
series were the FERET, FRVT 2000, and FRVT 2002. The
primary goal of the FRVT 2005 is to measure progress of
prototype systems/algorithms and commercial face recognition
systems since FRVT 2002 and ultimately develop
algorithms with performance capabilities exceeding
FRVT 2002. Additionally, one of the goals is to independently
determine if the objectives of the Face Recogni-
67 Face Recognition Vendor Test (FRVT). www.frvt.org
Version 2 – Summer 2008

Biometric Technology Application Manual Section 6 39
tion Grand Challenge (FRGC) are achieved.
The Face Recognition Grand Challenge (FRGC) is an independent
algorithm development project designed to
promote and advance facial recognition technology for
existing facial recognition activities in the U.S. government.
According to the FRGC website, 68 the main goal of the
FRGC is to promote and advance face recognition technology
to support existing face recognition efforts in the
U.S. government. FRGC will develop new face recognition
techniques and develop prototype systems while
increasing performance by an order of magnitude.
Iris Challenge Evaluation (ICE) 2005-2006
From August 2005 to March 2006, NIST conducted and
managed the Iris Challenge Evaluation. This program
consisted of an iris recognition challenge problem that
was distributed to potential challenge participants’ consisting
of two phases. The first phase was ICE 2005, concerning
iris recognition technology development. According
to the ICE web site, the primary goal of ICE 2005
was to promote and advance iris recognition technology
that supports existing iris recognition efforts by the U.S.
government.
This was followed in July 2006 by ICE 2006. The goal of
ICE 2006 was to determine the state-of-the-art capability
of automatic iris recognition technology and to establish
68 Face Recognition Grand Challenge (FRGC). www.frvt.org/frgc
69 Iris Challenge Evaluation (ICE) http://iris.nist.gov/ice/
Version 2 – Summer 2008

Section 6 40 Testing and Evaluation
a performance baseline against which to measure future
progress. The results were published in March 2007 and
are available from NIST.
Multiple Biometric Grand Challenge
In April 2008, NIST initiated the Multiple Biometric Grand
Challenge (MBGC) to address areas of concern identified
in previous challenges. According to the MBGC web site,
the primary goal of the MBGC is to investigate, test, and
improve performance of face and iris recognition technology
- including still and video imagery - through a
series of challenge problems and evaluation. The MBGC
seeks to reach this goal through several technology development
areas:
•
•
•
•
•
•
Face recognition on still frontal, real-world high and
low resolution imagery
Iris recognition from video sequences and off-angle
images
Fusion of face and iris (at score and image levels)
Unconstrained face recognition from still and video
Recognition from Near Infrared (NIR) and High Definition
(HD) video streams taken through portals
Unconstrained face recognition from still and video
Version 2 – Summer 2008

Biometric Technology Application Manual Section 6 41
Testing Organizations
There are several national and international testing organizations
that are recognized for their activities in biometric
testing. These include, but are not limited to:
•
National Institute of Standards and Technology
(NIST) - the research arm of the U.S. Department
of Commerce conducts biometric system tests using
some of the largest fingerprint databases in the world
and generally focuses on fingerprint, facial, and iris
testing on a large scale. Most of NIST’s test results are
available to the public, although tests that are run on
deployed systems (such as the FBI’s IAFIS system) are
classified due to national security concerns.
The U.S. PATRIOT Act requires NIST to work with the
Departments of State and Justice to examine entry
and exit procedures at U.S. border crossings. NIST
also runs tests related to the US-VISIT program that
requires visitors to the United States to either carry
a passport with biometric identifiers or to be fingerprinted
upon entering the country. NIST laboratories
are located in Gaithersburg, Maryland.
• Biometric Services International, LLC - BSI, located
in Morgantown, West Virginia, is an independent nonprofit
organization that consolidates NBSP’s testing,
training, research, and technical consulting functions
into a dedicated operating location and facility. BSI
performs biometric technology-specific applications
and operations testing in both an independent and
client directed test program. The program includes
product testing, standards compliance testing, and
Version 2 – Summer 2008

Section 6 42 Testing and Evaluation
special client test efforts. NBSP/BSI have developed a
testing protocol, including a set of common or general
testing criteria, to evaluate commercially available
biometric products for potential inclusion on a general
Qualified Products List (QPL). BSI is currently the
only facility exclusively dedicated to biometrics that
has achieved ISO/IEC 17025 accreditation for testing
laboratories. By holding accreditation to this standard,
it assures customers that BSI maintains a superior
Quality Management System.
• National Physical Laboratory (NPL) - NPL is the
UK equivalent to NIST. Established in 1996, the NPL
performs technology, application specific, and operational
testing programs, comparing real-world performance
to claims by biometric vendors. NPL also
provides consulting services for organizations looking
to implement a biometric strategy. The organization
is known for developing test methodologies
for biometric testing. While many of the NPL’s test
results are made public, some are not. NPL receives
some government funds, but the bulk of its biometric
testing is paid for by private companies, such as
systems integrators.
•
U.S. Department of Defense Biometrics Fusion
Center (BFC) - the U.S. Army organization that is the
DoD executive for biometric technology application.
The BFC, located in Fairmont, West Virginia, performs
several types of tests on biometric technologies, including
product assessments to verify vendor claims,
specific application and field-testing to determine
the feasibility of biometric systems, and controlled
assessment tests to check biometric performance in
laboratory environments. Their customers are gen-
Version 2 – Summer 2008

Biometric Technology Application Manual Section 6 43
erally United States defense organizations. Test results
are not normally published.
BFC’s primary goal is to determine whether certain
biometric systems are appropriate for military use.
Test results are made available to government and
military officials, but not to the general public.
• Sandia National Laboratory - is a United States
national lab that develops and tests science-based
technology in support of national security interests.
Sandia conducts various research and technology
testing and results are generally not published. Sandia
is a Government-Owned, Contractor-Operated
(GOCO) facility based in Albuquerque, New Mexico.
Lockheed Martin manages Sandia for the U.S. Department
of Energy’s Nuclear Security Administration.
• U.S. Army Research Lab (ARL) - created the highly
respected Facial Recognition Technology (FERET)
program, which was later taken over by NIST. ARL
performs testing for various biometric-based products
and systems that are directly related to military
applications.
• TNO TPD - is a division of the independent Netherlands
Organization for Applied Scientific Research.
This Netherlands-based group conducts biometrics
research and testing and provides consulting services.
The organization has tested facial recognition
systems’ viability for passport applications.
TNO is financed primarily through contract research
for clients, including government and industry. Test
results are typically not public, but qualified passport
Version 2 – Summer 2008

Section 6 44 Testing and Evaluation
or ID-issuring agencies can request results information.
TNO participates in the European Biometrics
Forum (EBF), part of the European Commission’s Biovision
project to provide a roadmap for biometric systems
through 2010.
• The Biometrics Technology Center, China - is supported
by the Hong Kong Government at Hong Kong
Polytechnic University to perform research on integrated
biometric technologies. The center aims to:
–
–
–
Transfer multiple biometric technologies from
university to industry
Provide a biometrics knowledge base for industry
and technological advancement
Explore integrated biometric solutions to practical
industrial applications.
• University of Buffalo (NY) - Center for Unified
Biometrics and Sensors (CUBS) was developed to advance
the science of biometrics to provide key enabling
technologies to build engineering systems
with a focus on homeland security applications. The
center enables development of new biometric technologies
from proof-of-concept to product readiness,
including usability studies and educational outreach
to evaluate and mitigate any ethical and legal
concerns.
• Michigan State University (MSU)
- has conducted
research of fingerprint, facial recognition, and hand
geometry biometric technologies. Their test reports
are published and publicly available.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 6 45
•
University of Bologna (Italy) - Biometric Systems
Laboratory - develops biometric systems and works
with industry to test research results in specific applications.
It is primarily focused on fingerprint technology.
• Fingerprint Verification Competition (FVC) - is
a university-based test organized by biometric researchers
at the University of Bologna and is operated
in conjunction with San Jose State University
and Michigan State University. This test tracks recent
advances in fingerprint verification to establish a
benchmark for allowing systems developers to compete
on a level playing field. The competition is a predominantly
lab-based, and the fingerprint databases
were not collected in a real-world environment. The
competition, however, is still helpful and valuable as
it assists software developers and vendors in improving
their fingerprint algorithms.
• University of Edinburgh (Scotland) - has performed
tests of speech related biometrics. One test in particular
examined security specific to banking applications.
• The West Virginia University (WVU) - While WVU
does not operate a regular testing program on
biometrics, it is the only known academic institution
at a senior level offering a degree program in biometric
systems.
Other universities with growing academic and research
programs in biometrics include: Massachusetts Institute
of Technology, University of Pennsylvania, University of
Maryland, Carnegie Mellon University, University of California
San Diego, University of Notre Dame,
Version 2 – Summer 2008

Section 6 46 Testing and Evaluation
Purdue University, Johns Hopkins University and the U.S.
Naval Academy.
There are also a number of commercial organizations
with biometric research and testing capabilities. These
include Noblis and the International Biometrics Group.
• Noblis Biometrics Lab - was established to support
government evaluation and application of biometric
technologies. The lab supports development of biometric
technology demonstrations, design of prototypes,
and objective performance tests. Applications
address personal identification and authentication
with respect to physical and logical access control
and information security. Although the lab’s primary
focus is biometrics, it also supports the investigation
and integration of complementary technologies,
such as smart cards and data encryption.
• International Biometrics Group (IBG) - is a New
York-based, for-fee, testing house and consultancy
that conducts product tests that illustrate how biometric
technologies may perform in the field. IBG
has been testing and comparing biometrics since
1998, with clients from both the public and private
sectors. IBG performs “scenario testing” in which live
subjects are enrolled in a biometrics test, as well as
the algorithm testing that was described earlier in
this section.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 7 1
Section 7: Biometric Social and Cultural
Implications
The impact, both real and perceived, of the expanded
use of biometric technology on any society is not insignificant.
At best, the technology represents a tremendous
benefit for national/public security, individual security,
and personal identity protection. This section addresses
the social issues in three parts. First, in Section 7.1, the
legal basis for use of the technology is examined. In Section
7.2, the focus is on privacy issues and implications.
Finally, in Section 7.3, consideration is given to the public
acceptance and obstacles to proper use of the technology.
Section 7, Part I: Societal Issues—Legal
Considerations and Implications
Disclaimer: The legal considerations and issues presented
in this section do not constitute legal advice or counsel
and must not be construed as serving that purpose. They
are intended to alert the reader to current primary issues
regarding the use of biometrics under United States laws,
the U.S. legal system, and selected non-U.S. references.
Background
The handling of personal information by the government
or a private institution raises the sensitive issue of individual
privacy and there are numerous laws and regulations
that are or may be applicable. For the purpose of
Version 2 – Summer 2008

Section 7 2 Biometric Social and Cultural Implications
this discussion, it should suffice to recognize that these
laws and regulations rest on four fairness concerns: notice,
choice, access, and safeguards. 70
Notice should allow people to know what personal information
is being collected by the government or any private
sector group, how it is being used, and with whom
it might be shared. Choice should allow people to decide
whether to give the information, to what extent it will
be used, and to whom it will be given. Access should allow
people to know what information the government
or other organization has about them and allow them to
correct it. Finally, the safeguarding of this information
should be sufficient to meet a reasonable standard for
data security.
When evaluating and designing a biometric-based system
for use in either government or private sector applications,
there are several key questions that should be
asked and considered. These include 71 :
•
•
•
•
Can the biometric system be narrowly tailored to its
task?
Who will oversee the program?
What alternatives are there to biometric technologies?
What information will be stored and in what form?
70 Privacy Online: Fair Information Practices in the Electronic Market-
place. Federal Trade Commission. May 2000, p. iii.
71 Biometric Technology: Security, Legal, and Policy Implications. Legal
Memorandum #12. Paul Rosenzweig, Alane Kochems, and Ari Schwartz.
The Heritage Foundation. June 2004. Used with permission.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 7 3
•
•
•
•
•
•
•
•
•
•
•
•
To what facility/location will the biometric give
access?
Will the original biometric material be retained?
Will biometric data be kept separately from other
identifying personal information?
Who will have access to the information?
How will access to the information be controlled?
How will the system ensure accuracy?
Will data be aggregated across databases?
If information is stored in a database, how will it be
protected?
Who will make sure that program administrators are
responsive to privacy concerns?
Can people remove themselves from a database voluntarily?
How will consistency between data collected at multiple
sites be maintained?
If there is a choice, will people be informed of optional
v. mandatory enrollment alternatives?
Biometric technology has substantial potential to improve
security—public, private, and national—by providing a
means to identify and verify people in many contexts. In
many circumstances, this use will provide a substantially
higher level of security beyond the current means of
Version 2 – Summer 2008

Section 7 4 Biometric Social and Cultural Implications
identification. This will be of special utility in controlling
access to areas where security risks are especially high—
airport tarmacs, critical infrastructure facilities, etc.
As with all new technologies, however, there is potential
for abuse. Thus, there is a legitimate public concern that
biometric technology could be misused to invade or violate
personal privacy or other civil liberties. Some of the
fears surrounding biometric information are that it could
be:
•
•
•
•
Gathered without permission, knowledge, or clearly
defined reasons
Used for a multitude of purposes other than the one
for which it was initially gathered (function creep or
mission creep)
Disseminated without expressed permission from
the biometric feature “owner”
Used to learn about people for surveillance or social
control purposes
There are also concerns about tracking, which is realtime
or near-real-time surveillance of an individual and
profiling, where a person’s past activities are reconstructed.
Both of these would destroy a person’s anonymity.
Identity fraud and theft are major issues, too.
In properly determining how best to enhance both
civil liberty and security, it is useful to have some basic
principles for assessing use of a particular biometric
technology. Generally, and with specific requirements
for special exceptions, such a code of principles should
include:
Version 2 – Summer 2008

Biometric Technology Application Manual Section 7 5
•
•
•
•
•
Enrollment in biometric systems should be overt instead
of covert. Before one is enrolled in a biometricbased
program, he/she should be made aware of the
enrollment.
Biometric systems should, when possible, be designed
to operate with local, segmented, or distributed
storage of data (for example, on smart cards)
rather than in a central storage database. Centralized
storage of biometric data increases security requirements
and needs additional protection against
function or mission creep. For some biometric technologies
and national or special applications, local
storage may not be feasible or practical.
It would be preferred to have a biometric-based system
that is “opt-in” and requires a person to consent
rather than those that are mandatory. This does not
mean that requiring someone to opt-in cannot be
made a condition of participation, (for example, if a
person wants to enter the United States he/she must
provide a biometric) since participation is ultimately
voluntary. Additionally, certain biometric applications
(e.g., DNA for convicted terrorists and criminals)
may need to be mandatory).
For privacy and security reasons, one should prefer
biometric systems that reduce the biometric to a
template or reference, rather than maintaining a
stored image. Generically, references are harder to
falsify. However, the decision will depend on the
application.
Where feasible, biometric systems should consider
the use of a form of verified pseudonymity, where
the authorization for use by the identified individual
Version 2 – Summer 2008

Section 7 6 Biometric Social and Cultural Implications
•
•
•
is conveyed while the identity is concealed unless
and until suitable authorization for “piercing the veil
of anonymity” is received.
Any biometric system should have strong audit and
oversight programs to prevent misuse. The Privacy
Act of 1974 addresses some of these concerns since
it limits the ability of federal agencies to collect, use,
or disclose personal information like biometric data.
There are, however, exceptions for national security
and law enforcement purposes. Recourse to these
exceptions should be well-documented and subject
to periodic review.
Any biometric system is only as strong as the initial
enrollment. An ideal way to evade biometric detection
is to be improperly registered as a legitimate
user. In conjunction with the deployment of any
new biometric system, one must take care to monitor,
audit, and periodically test the enrollment process.
Enrolled data should also be subject to routine
secondary review to identify those mistakenly enrolled
in the first instance.
Similarly, a biometric system is only as strong as its
back-up alternative. The principle of layered security
requires that those implementing biometric identification
systems have in place a suitable secondary
identification system for use when the primary biometric
system fails or provides an inconclusive result.
It will not do, for example, for the back-up to a
biometric system to be a simple, insecure, signature
verification.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 7 7
U.S. citizens—as well as citizens of other countries—value
their privacy and autonomy. These rights are the very
concepts and beliefs the United States was founded on.
Given our increasing need for more fool-proof and accurate
(and convenient) methods of identification, how can
the need for increased security and accurate identification
be best balanced to protect an enhance privacy? A challenge
is presented in how technologies like biometrics
can be used to provide security, while preserving privacy
and personal freedom.
For background, it should be noted that there are four
types of organizations covered by the laws pertaining to
the collection, maintenance, use, and storage of personal
data. They are:
1.
2.
3.
4.
Federal government agencies and their contractors;
Federal government agencies involved in intelligence
gathering or law enforcement and their contractors;
Private organizations that receive federal funding,
and
Private organizations that do not receive federal
funding.
Federal government agencies and their contractors are
subject to the strictest rules with respect to the collection,
maintenance, use, and storage of personal data. Private
organizations supported by federal funding are subject
to most but not all of the rules.
Data used by federal government agencies for intelligence
gathering or for law enforcement purposes have certain
Version 2 – Summer 2008

Section 7 8 Biometric Social and Cultural Implications
exemptions under the laws and regulations, but are also
required to comply with special directives or orders that
apply only to that community and its contractors. Private
organizations with no federal funding are currently not legally
restricted in collecting, maintaining, using, and storing
biometric data. 72 However, with regard to the latter, it
would be prudent to exercise reasonable care similar to
the requirements that apply to others.
U.S. Law and Implications
U.S. Constitutional Amendments
U.S. citizens’ rights to privacy—to due process and preventing
unreasonable search and seizure—is inherent in
the following Constitutional Amendments:
• Fourth Amendment—The
right of the people to be
secure in their persons, houses, papers, and effects,
against unreasonable searches and seizures, shall not
be violated; and no warrants shall issue, but upon
probable cause, supported by oath or affirmation, and
particularly describing the place to be searched and
the persons or things to be seized.
• Fifth Amendment—No
person shall be held to answer
for a capital, or otherwise infamous, crime, unless
on a presentment or indictment of a grand jury,
except in cases arising in the land or naval forces, or
in the militia, when in actual service, in time of war,
80 Facial recognition technology has been used in casinos for years.
This unimpeded use of biometric information by the private sector
could change in the near future. For example, see California Bill SB-
169 introduced in 2001.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 7 9
or public danger; nor shall any person be subject, for
the same offense to be twice put in jeopardy of life or
limb; nor shall any person be compelled, in any criminal
case, to be a witness against himself, nor be deprived
of life, liberty, or property, without due process
of law; nor shall private property be taken for public
use, without just compensation.
• Fourteenth Amendment—Section
1. All persons born
or naturalized in the United States, and subject to the
jurisdiction thereof, are citizens of the United States
and of the State wherein they reside. No State shall
make or enforce any law which shall abridge the privileges
or immunities of citizens of the United States;
nor shall any State deprive any person of life, liberty,
or property without due process of law, nor deny any
person within its jurisdiction the equal protection of
the law.
Du E pR O C E s s 73
The concept of due process requires the United States
government to fulfill its obligations with reason, consideration,
and fairness. It is the government’s duty to provide
eligible citizens with certain rights and privileges. If
a government agency is going to deem a person ineligible
and unqualified for these privileges, the reasons must
be substantiated, and the citizen must be given an opportunity
to appeal. The method used for appealing ineligibility
is called a pre-termination or predetermination
hearing, which occurs prior to the actual suspension of
73 Portions adapted from Biometric Applications: Legal and Societal Considerations.
National Biometric Test Center. San Jose State University.
Adapted from a presentation by Dr. Kenneth P. Nuger of SJSU Political
Science Dept. Used with permission from James Wayman.
Version 2 – Summer 2008

Section 7 10 Biometric Social and Cultural Implications
rights and privileges.
There have been instances when the government has
denied rights without providing a hearing and, because
it was justified as in the interests of public safety, it was
ruled that due process had not been violated. Such cases
include the seizing of mislabeled vitamins 74 and spoiled
food 75 and denying employment to a cook in a defense
contractor’s plant. 76
However, in the case Goldberg v. Kelly, 85 the Supreme
Court determined that pre-termination hearings were
required prior to denying a person Aid to Families with
Dependent Children (AFDC) payments. Since that ruling
in 1970, hearings have become a precedent for meeting
the terms of due process.
In addition to due process, the issue of information accuracy
must also be considered in the use of biometricbased
systems. Case law illustrates that government decisions
based on inaccurate data or flawed procedures
are unconstitutional. 78 Decisions to deny or allow access
or privileges that are based on faulty or inaccurate information
will be subject to criticism and recall. Not only
will the accuracy of the biometric system be questioned,
74 Ewing v. Mytinger and Casselberry, Inc., 339 U.S. 594 (1950).
75 North American Cold Storage Company v. Chicago, 211 U.S.
306 (1908).
76 Cafeteria and Restaurant Workers Union v. McElroy, 367 U.S.
886 (1961).
77 Goldberg v. Kelly, 397 U.S. 254 (1970).
78 For example, many drug testing cases during the 1980s, before the
United States Supreme Court decided Von Raab, overturned employee
dismissals whose drug tests turned up positive because early urinalysis
testing approached only a 95%-99% accuracy range.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 7 11
but so will its reason for being, operational procedures,
user training, and all other aspects surrounding the biometric.
If improper system implementation, poor training,
or an error in the biometric system itself, results in a
person being falsely denied entry into a country, for example,
courts may determine that due process has been
violated.
There are major legal implications and issues for the use
of biometrics in both public and private applications.
Agencies and companies will have to train their personnel
to use the biometric system(s) in the proper manner,
as well as establish procedures for system implementation,
use, maintenance, identity authentication (see section
on Breeder Documents), and accommodating grievances.
Legal issues related to due process may not be as numerous
as those related to privacy (see Section 7, Part II: Privacy
Considerations and Implications). The privacy rights
rooted in the 4th, 5th, and 14th Amendments will continually
come up for debate as more applications for biometric
technologies are proposed and implemented. An
important consideration for those designing, implementing,
and using biometric-based systems, as biometrics
are further developed and enhanced, is their level of intrusiveness.
fO u R t h am E n D m E n t Ex a m p l E 79
In the Supreme Court case Katz v. United States 80 the
79 Portions adapted from Biometric Applications: Legal and Societal
Considerations. National Biometric Test Center. San Jose State University.
Adapted from a presentation by Dr. Kenneth P. Nuger of SJSU Political
Science Dept. Used with permission from James Wayman.
80 Katz v. United States, 389 U.S. 347 (1967).
Version 2 – Summer 2008

Section 7 12 Biometric Social and Cultural Implications
court interpreted that the Fourth Amendment protects
people, but not places, meaning, wherever a person has
a reasonable expectation of privacy, he/she is entitled to
be free from unreasonable government intrusion. However,
there are times when the government has justifiably
set aside a person’s Fourth Amendment rights in the
interest of public safety.
In the case of fingerprinting or drug testing, these collections
of biometric features or specimens can be
considered a “search.” Such activities are done when
a person is suspected of wrong-doing. It is likely that
eventually some latitude may be given for biometric
applications, as it has been given for drug testing.
For example, a situation where the concept of “suspicionless
search” was given latitude was in the case National
Treasury Employees Union v. Von Raab, 81 where
the court allowed drug testing on large groups of federal
employees, even if none were suspected of drug
use. This is called “suspicionless search.” Prior to the
Michigan v. Sitz 82 case in 1990, which involved sobriety
checkpoints, suspicionless search was reserved for non-
criminal searches. In Sitz, the Supreme Court allowed
data from these random sobriety checkpoints to be used
to link an individual to a crime, expanding suspicionless
searches to criminal searches.
82 National Treasury Employees Union v. Von Raab. 489 U.S. 656 (1989).
82 Michigan v. Sitz. 494 U.S. 444 (1990).
Version 2 – Summer 2008

Biometric Technology Application Manual Section 7 13
fi f t h am E n D m E n t Ex a m p l E 83
The Fifth Amendment protection from self-incrimination
has been expanded to include both criminal proceedings
and non-criminal procedures that might result in criminal
prosecution. The Fifth Amendment includes: “No person
. . . shall be compelled in any criminal case to be a witness
against himself.”
Biometric reference collection methods could be considered
controversial, particularly those already considered
intrusive. An example of non-intrusive sample-taking is
featured in the 1957 Breithraupt v. Abram 84 case. In this
case, a blood sample was taken from an unconscious
suspect involved in a deadly car accident. The court ruled
that this evidence was admissible because blood samples,
like fingerprinting and urine samples, are commonplace,
relatively non-intrusive, and acceptable to society.
In another case, Schmerber v. California, 85 it was reiterated
in 1966 that forced writing, speaking, fingerprinting,
and walking or gesturing could be used for identification
in court. Perkey v. Department of Motor Vehicles 86 was
a civil case dealing with issuing drivers licenses. In this
case, the court upheld that since fingerprinting did not
penetrate the skin, it did not violate personal dignity or
privacy rights. [There are a number of U.S. states currently
incorporating fingerprint- or other biometric-based
83 Portions adapted from Biometric Applications: Legal and Societal Considerations.
National Biometric Test Center. San Jose State University.
Adapted from a presentation by Dr. Kenneth P. Nuger of SJSU Political
Science Dept. Used with permission from James Wayman.
84 Breithraupt v. Abram. 352 U.S. 432 (1957).
85 Schmerber v. California. 384 U.S. 757 (1966).
86 Perkey v. Department of Motor Vehicles. 721 P.2d. 50 (Cal. App. 1986).
Version 2 – Summer 2008

Section 7 14 Biometric Social and Cultural Implications
driver licensing programs. For further information, see
BTAM Volume 2: Section 12: U.S. State and Regional Applications.]
Given the rulings in these examples, it can be assumed
that biometric features will be treated similarly since
most biometric systems use what are generally considered
to be day-to-day and “socially acceptable” actions,
like submitting a fingerprint or handwriting sample.
Impact on Civil Liberties 87
Much attention has been focused on airline passenger
identification since the September 11, 2001, terrorist attacks.
Boston’s Logan Airport was the access point for
several hijackers. Would a working facial recognition or
other biometric-based system have successfully warned
officials about these terrorists? What is the impact of
such a working system on “regular people” whose faces
or features are also scanned through the system, whether
covertly or overtly? Some believe that an identification
system based on facial recognition technology in a
surveillance application, for example, can pose several
threats to civil liberties, if not implemented carefully.
Any potential privacy threats to, or false accusations of,
innocent people must be minimized.
As presented throughout this volume, the degree
of similarity between biometric templates/
references that is required for a positive match depends
on the decision threshold (false accept and false reject
ratio), which is defined by the system owner. A high se-
87 Portions adapted from Biometrics and the Threat to Civil Liberties. IEEE
Computer magazine. ® April 2004 IEEE. Used with permission.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 7 15
curity level—low or no false accepts and/or high or many
false rejects—could cause otherwise innocent people
to be inconvenienced or falsely accused. Or, the system
could be set for low security, potentially allowing wrongdoers
to get through or escape the system. Privacy implications
for the biometric system users (i.e., passengers in
this example) are directly correlated to the security sensitivity
settings (decision threshold parameters) of the biometric
system being used.
Another important civil liberty issue involves the potential
for biometric systems to locate and physically track
airline passengers. Covert instead of overt “scanning”
and tracking of passengers as they move through and
between airports could lead to civil liberties concerns
and challenges. As was presented earlier, the Fourth
Amendment protects U.S. citizens against illegal searches
and seizures by the U.S. government. Article 12 of the
United Nation’s Universal Declaration of Human Rights,
adopted in 1948, guards against unqualified or unjustified
interference with a person’s home, family, or privacy.
Use of a covert facial recognition system at an airport, for
example, may be considered a civil liberties violation, depending
on the nature of data collected, how it is used,
and how/where it is stored.
In this or any other application, how and where to store
the collected biometric data must be carefully considered,
since it is common practice to store biometric data
for an extended period of time after the initial enrollment
references are collected. If an unfortunate event should
occur, the biometric data could be helpful in an investigation.
Decisions must be made regarding data accessibility,
security, and data organization, defining who can
access the data, how it can be used, and how and when
biometric data will be destroyed. Implementing a large-
Version 2 – Summer 2008

Section 7 16 Biometric Social and Cultural Implications
scale biometric system requires a series of critical technical
decisions concerning security and database safeguards.
Many of these decisions can affect civil liberties.
Implications for Federal Agencies
Federal agencies and their contractors may only collect
or compile information regarding individuals necessary
for the proper performance of its functions and which
has practical utility and are required to obtain permission
for collecting personally identifiable information
that will be stored in a system of records. For example,
a federal agency may scan the faces in a crowd for a
match with a face on file without getting anybody in the
crowd’s permission, if the information gathered from the
crowd is discarded and not stored. 88 When permission
is required for research with human subjects it must include
informed consent. Informed consent can only be
given under circumstances that:
1.
2.
Provide the prospective subject sufficient opportunity
to consider whether or not to participate in the
project, and
Minimize the possibility of coercion or undue
influence.
88 This requirement comes from the Privacy Act and it hinges on the interpretation
of the Act’s use of the word “record.” The courts have not yet
provided an exact interpretation. For purposes of this report, the broadest
interpretation is being accommodated, i.e., any stored biometric is
a record. A tighter interpretation, e.g., the biometric must be linked to
one’s social security number or name, would allow the information from
the crowd scan to be kept in the above example.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 7 17
The information regarding the project and the consent
that is given to the subject shall be in language understandable
to the subject. Informed consent cannot include
exculpatory language where the subject is required
to waive or appear to waive any of his/her legal
rights, or releases or appears to release the investigator,
the sponsor, the institution or its agents from liability for
negligence. 89 Consent must be recorded in writing and
signed by the subject. Consent forms must include notice
of The Privacy Act of 1974 (the “Privacy Act”), the applicant’s
rights under the Privacy Act, how the information
collected will be routinely used, the authority for
the collection, and the consequences to the applicant of
not providing the requested information, if any. 90 When
agencies collect personal information, they are required
to provide a notice in the Federal Register that includes
certain information, such as the name and location of the
system of records, categories of individuals in the system,
and routine uses of the information. 91
89 These are the general requirements for informed consent for human
testing by a government agency. Language taken from the Code of Federal
Regulations, 45 CFR §46.116. Biometric testing falls under 45 CFR
46 pursuant to §46.101 and §46.102(f).
90 Language taken from the United States General Accounting Office’s
Information Management: Selected Agencies’ Handling of Personal Information,
(GAO-02-1058), Sep. 2002, p. 47, authority taken from The Privacy
Act of 1974, 5 USC §552a(e)(3).
91 Language taken from the United States General Accounting Office’s
Information Management: Selected Agencies’ Handling of Personal Information,
(GAO-02-1058), Sep. 2002, p. 47.
Version 2 – Summer 2008

Section 7 18 Biometric Social and Cultural Implications
International Considerations
OECD Guidelines
The OECD 92 is an international organization of countries
that creates a forum for its member states to “discuss, develop,
and refine economic and social policies,” which often
lead to agreements and treaties (both binding and
non-binding) among countries with regard to domestic
and international policies and cooperation with respect
to a multitude of issues. 93 There are currently 30 member
states. Non-member countries are also invited to subscribe
to OECD agreements and treaties.
On September 23, 1980, the OECD issued its Guidelines
on the Protection of Privacy and Trans-border Flows of
Personal Data, or OECD Guidelines. These guidelines,
which are non-binding, lay out eight principles of privacy
and recommend that member countries take these
principles into account when implementing domestic
policies regarding the flow of personal data. These privacy
principles have subsequently emerged as a universal
foundation for the formulation of national privacy
legislation and can be found in the privacy laws of many
countries. The eight principles are provided in Section
7.2.
EU Data Protection Directive
The law that most significantly impacts the legality and
92 Organization for Economic Cooperation and Development.
93 Organization for Economic Cooperation and Development, Overview
of the OECD.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 7 19
scope of biometric usage in the EU is Directive 95/46/EC,
also known as the Data Protection Directive, and sometimes
referred to as the Privacy Directive. This legislation
covers both the public and private sectors and closely
follows the OECD Guidelines.
The directive was passed almost a decade ago on October
24, 1995 by the Parliament and Council in an effort
to “remove the obstacles to the free movement of data
without diminishing the protection of personal data” and
took effect on October 25, 1998. The objective of the
Data Protection Directive is to harmonize national laws of
member states on processing personal data and protecting
the rights and freedoms of the persons about whom
data is concerned (“data subjects”). The importance of
the Data Protection Directive cannot be understated with
respect to the discussion of the use of biometric identifiers
and biometric recognition technology in the EU and
its member states.
The Data Protection Directive mandates that member
states respect specific rights and obligations in the following
areas: data quality; legitimacy of the data processing;
special categories of processing; information to
be given to the data subject; the data subject’s right of
access to the data; the data subject’s right to object to
and/or correct the data processing; confidentiality and
security of processing; establishment of a public data
protection supervisory authority; notification of processing
to the supervisory authority; and transfer of personal
data to third countries.
Data Quality
• : Personal data must be: (1) processed
fairly and lawfully; be collected for specified, explicit,
and legitimate purposes; (2) adequate, relevant, and
not excessive in relation to the purposes for which
Version 2 – Summer 2008

Section 7 20 Biometric Social and Cultural Implications
they are collected; (3) accurate; and (4) kept in a form
which permits identification of data subjects for no
longer than is necessary.
• Legitimacy of Data Processing:
Personal data may
be processed only if (1) the data subject has unambiguously
given his/her consent; or (2) the processing
is necessary either (a) for the performance of a
contract to which the data subject is a party; (b) for
compliance with the data controller’s legal obligation;
(c) to protect the vital interests of the data subject;
(d) for the performance of a task carried out in
the public interest; (e) for the purposes of the legitimate
interests pursued by the controller or by the
third parties to whom the data is disclosed, except
where such interests are overridden by the “fundamental
rights” of the data subject.
Prohibition on Processing of Sensitive Data
• : The
processing of personal data revealing racial or ethnic
origin, political opinions, religious or philosophical
beliefs, or trade-union membership, and the
processing of data concerning health or sex life, are
strictly prohibited. An exception is permitted if the
data subject gives explicit consent, or if it is necessary
to protect the vital interests of the data subject
in the event that the data subject is incapable of giving
consent. There are several other limited exceptions,
such as where the processing of such data is
necessary in the performance of obligations mandated
by employment law. Subject to the provision
of “suitable safeguards” and notification to the Commission,
the member state may provide additional
exemptions for reasons of public interest. If the processing
of the data relates to offences, criminal convictions,
or security measures, it may be carried out
Version 2 – Summer 2008

Biometric Technology Application Manual Section 7 21
only under the control of official authority. Member
states must determine the conditions under which
a national identification number or any other identifier
of general application may be processed. This
prohibition could potentially impact the processing
of biometric data, particularly if such data reveals the
data subject’s race or ethnic background. For example,
a facial image, which is essentially a digital photograph,
can presumably reveal a person’s race, and
possibly even ethnic background, to anyone observing
the image.
• Information to be Given to the Data Subject:
Whenever
personal data is collected, recorded, or disclosed
to a third party, the data subject must be provided
with information as to the identity of the data controller
and the purpose of the processing for which
the data are intended. Additionally, insofar as it may
be necessary under the circumstances and with regard
to fairness to the data subject, further information
may be required to be given, such as the categories
of data concerned, the recipient or categories of
recipients of the data, whether giving the information
is voluntary or involuntary, and the existence
of the data subject’s right to access and correct the
data.
The Data Subject’s Right of Access to Data
• : The data
subject must have the right to obtain the following
from the controller: (1) confirmation as to whether or
not data relating to them is being processed; (2) the
purpose of the processing; (3) the categories of data
being processed; (4) the recipients of the data; (5) an
intelligible form of the data; (6) information on the
source of the data; (7) knowledge of the logic (i.e. the
rationale) involved in any automatic processing of the
Version 2 – Summer 2008

Section 7 22 Biometric Social and Cultural Implications
•
data; rectification (including erasure or blockage) of
incomplete/inaccurate or unlawfully obtained data;
and (8) notification to third parties to whom the data
has been disclosed of any such rectification.
Establishment of and Notification to Supervisory
Authority: Each member state must appoint a public
supervisory authority to monitor and enforce
the application of the Directive. Subject to certain
exceptions, data controllers or their representatives
must notify the supervisory authority before carrying
out “any wholly or partly automatic processing
operation or set of operations intended to serve a
single purpose or several related purposes.” There
are specific requirements regarding the content of
such notice, including notification of any proposed
transfers of data to non-EU countries. In addition,
the supervisory authority must maintain a public
register of processing operations.
Transfer of Personal Data to Non-EU Countries
• :
Subject to certain exceptions, transferring personal
data to a non-EU country requires assurances of an
adequate level of protection. “Adequacy” is to be assessed
in light of all the circumstances surrounding
a data transfer operation, giving particular consideration
to the nature of the data, the purpose and
duration, the country of origin and final destination,
the non-EU country’s laws, and the professional rules
and security measures which are in that country.
The European Commission is empowered to determine
whether or not a non-EU country ensures an
adequate level of protection, in which case member
states must comply with the Commission’s determination.
If the Commission determines that the non-
EU country does not have an adequate level of pro-
Version 2 – Summer 2008

Biometric Technology Application Manual Section 7 23
tection, the data cannot be transferred.
The U.S. Department of Commerce, in consultation with
the European Commission, developed the Safe Harbor
Program to allow companies and organizations to certify
that they maintain the necessary privacy protection standards
as mandated by the Directive. 94
The Safe Harbor Program provides U.S. and EU firms with
numerous benefits. Listed below are some of the benefits
for U.S. firms:
1.
2.
3.
All 27 Member States of the European Union will be
bound by the European Commission’s finding of adequacy;
Companies participating in the safe harbor will be
deemed adequate and data flows to those companies
will continue;
Member State requirements for prior approval of
data transfers either will be waived or approval will
be automatically granted; and
94 The U.S. Department of Commerce’s International Trade Administration,
“Safe Harbor Privacy Principles Issued by the U.S. Department of
Commerce on July 21, 2000,” http://www.export.gov/safeharbor/SH_
Privacy.asp.
Version 2 – Summer 2008

Section 7 24 Biometric Social and Cultural Implications
4.
Claims brought by European citizens against U.S.
companies will be heard in the United States subject
to limited exceptions. 95
U.S. companies and organizations must agree to follow
seven principles on data security and privacy as outlined
in the Directive (See List 1 in appendix). More than 1500
companies and organizations are Safe Harbor-certified.
They must undergo a recertification annually by either
performing a self-assessment of adherence to the seven
principles on data security and privacy principles or hire
a third party to perform the assessment.
The Safe Harbor Program has received a fair amount of
criticism for being a weak protector of privacy, because
the program does not take into account state, national,
and other international laws. Moreover, since the European
Union passed a directive and not a regulation, for it
to be effective, member states must implement national
laws - causing delays and sometimes confusion and
contradiction with existing laws and procedures. Wells,
Courtney and Vogel explain that, while a U.S.-based corporation
or entity without any assets in Europe would be
safe simply relying on the Safe Harbor Principles, those
that have assets inside of Europe will be subject to further
national legislation, which could be stricter than the
Directive. 27
95 The U.S. Department of Commerce’s International Trade Administration,
“Safe Harbor Overview,” http://www.export.gov/safeharbor/SH_
Overview.asp.
27 Steven A. Wells, Mark Courtney and Peter Vogel. “UnSafe Harbor: No
Common Denominator in Privacy Compliance,” Computer Law Review
& Technology Journal 9, no. 1 (2004), http://www.libraries.wvu.edu.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 7 25
United Kingdom Data Protection Act
In addition to following United States laws regarding
the use and integration of biometric technologies into a
public or private application, it is particularly important
for any applications that may be cross-borders or cross-
jurisdictions to consider the legal requirements outside
of the United States. One such example is the UK Data
Protection Act of 1998, which closely follows the EU Data
Protection Act.
All controllers of biometric data must adhere to the eight
data protection principles. The obligations of controllers
of biometric data are summarized below: 97
1.
Personal data shall be processed fairly and lawfully.
In order for this principle to be met, the user must be
told exactly why the data is being processed and the
identity of the data controller. Generally speaking,
the consent of each subject must also be obtained
for processing (unless limited exemption applies).
The EU data protection Working Party states that systems
that collect data without the knowledge of their
subjects (such as distance facial recognition systems)
must be avoided. If the data is sensitive, then the requirements
are even more stringent. In the majority
of cases, the subject must be fully informed of all the
relevant information and must explicitly give their
consent. When sensitive data is concerned, implied
consent will not suffice. The form of the consent will
97 Knowing Me, Knowing You: Biometrics, the Security Industry, and the
Law. Nick Mallet, Martineau Johnson. November 2004. www.martineau-johnson.co.uk.
Used with permission.
Version 2 – Summer 2008

Section 7 26 Biometric Social and Cultural Implications
2.
vary with the circumstances. For example, notices
concerning the existence of CCTV cameras carry with
them an implication of consent to being filmed and
possibly recorded.
Personal data shall be obtained only for specified
and lawful purposes and shall not be processed
in a manner incompatible with those purposes.
This principle, which overlaps the first, concerns the
obtaining and processing of information. It prohibits
data controllers from further processing information
that would otherwise be incompatible with the
defined purpose(s) for which the data was collected.
Data subjects/users must not be deceived or misled
about the intended purpose of collection. For example,
biometric data processed for access control purposes
must not be used to assess the emotional state
of the user or for surveillance in the workplace. All
measures must be taken to prevent such incompatible
re-use. It is thought that the centralized storage of
biometric data increases the risk that databases could
be linked together, thus leading to more detailed profiles
of individuals. If this were to occur, then the ambit
of the original purpose would be exceeded. The
EU data protection Working Party recommends that
biometric data remain with the person (user), for example,
on a smart card, mobile phone, or bankcard.
In addition, this principle imposes an obligation on
those who disclose biometric data to a third party to
impose contractual obligations on that third party to
process the information only for purposes compatible
with the data controller’s original specified purpose.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 7 27
3.
Personal data shall be adequate, relevant, and not
excessive.
The central idea of this principle is proportionality.
The data controller should ask himself whether or not
his intended purpose could be achieved in a less intrusive
way taking into account the risks to the individual’s
fundamental rights and freedoms. For example, in
France the authorities refused to use childrens fingerprints
for access to a school restaurant, but accepted
the outline of the hand pattern for the same purpose.
Data controllers will need to tailor each system to the
specific requirements of the situation. A specific difficulty
may arise as biometric data often contains more
information than is necessary for its identification or
verification functions, especially where raw data (such
as an original image) is concerned. Data controllers
should destroy unnecessary and irrelevant data as
soon as possible and construct users’ references so as
to preclude the processing of these data.
Data protection authorities have suggested that biometric
systems relating to physical characteristics
that leave traces (e.g., fingerprints rather than hand
shape) or those that store information in the control
access device or a central database, may be excessive
as they present more of a risk to the fundamental
rights and freedoms of individuals. Therefore, it
is recommended that biometrics be stored in an object
exclusively available to the user such as a smart
card, mobile phone, or bankcard. However, a central
database will be required if the function of identification
(“who am I?”) is to be carried out rather than
the function of verification (“am I who I say I am?”). In
these cases, particular care must be taken and safeguards
put in place to preserve the individual’s rights
Version 2 – Summer 2008

Section 7 28 Biometric Social and Cultural Implications
4.
5.
and freedoms.
Personal data shall be accurate and, where necessary,
kept up to date.
Data controllers are under an obligation to take reasonable
steps to verify the accuracy of the data they
obtain, but given the current state of technology,
accuracy is still proving problematic for biometric
systems to achieve. Indeed, most biometric systems
have some flaws. For instance, it is estimated that
five percent of people do not have readable fingerprints
(either because of manual labor, hand cream,
or genetic makeup, etc.).
The problem is that such flaws could leave biometric
systems open to challenge. The EU data protection
Working Party emphasizes the importance of accuracy
in biometric systems. Errors can have severe
consequences, including the false rejection of those
authorized and the false acceptance of those unauthorized.
Faced which such “indisputable” evidence,
individuals may find it impossible to prove the contrary.
A viable option for data controllers is to employ
a combination of measures or a multi-biometric system
to achieve greater accuracy.
Personal data shall be kept no longer than
necessary.
This principle overlaps with the third. It imposes
an obligation on data controllers to keep personal
data under constant review and delete all information
that is no longer required for the purpose it was
originally obtained. For example, it may be that a
Version 2 – Summer 2008

Biometric Technology Application Manual Section 7 29
6.
7.
particular threat to security is no longer present and
therefore the data is no longer needed.
Personal data shall be processed in accordance with
the rights of the data subject/user.
This principle will be breached when a data controller
fails to comply with an individual’s justified request
to cease processing his/her biometric data or
fails to respond to any request within a reasonable
amount of time.
A breach will also occur if a data controller does not
comply with any subject/user access request. In certain
circumstances, data subjects have a right to make
these requests about the information being pertaining
to them. The requests must be in writing and the
data controller can charge a fee for dealing with each
one. The data controller should satisfy him/her-self
as to the individual’s identity (so as to adhere to the
seventh principle) and can ask for details as to the location
of the data. Each request must be dealt with
within a reasonable amount of time.
Appropriate measures shall be taken to prevent unauthorized
use or accidental loss of personal data.
Maintaining the security of biometric data is fundamental
to safeguarding the rights and freedoms of
the individual. The dangers of failing to meet this obligation
are severe. Were someone to have stolen his
biometric identity, an individual could not change
his genetic attributes as easily as he could change his
computer password. This could cause irretrievable
damage to the individual concerned and limit their
Version 2 – Summer 2008

Section 7 30 Biometric Social and Cultural Implications
8.
freedom in future. Data controllers must therefore
ensure that protective measures give a level of security
that is appropriate to the harm that might result.
Particular care is required when biometric data
is transmitted over a network or the Internet. Security
measures could include the encryption of users’
references, the protection of encryption keys, and
access control.
However, the Data Protection Act accounts for the
“state of technology” (and its cost) available to the
data controller at the relevant time. It is advisable
that the data controller monitor changes in technology
to avoid inadvertently breaching the legislation
by failing to upgrade security systems. The EU data
protection Working Party advocates developing encryption
keys based on biometric data. These would
allow an individual’s biometric data to be decoded
only on the basis of a new collection of biometric
data from the data subject herself/himself.
The seventh principle also imposes an obligation on
the data controller to ensure, as reasonably possible
in the circumstances, the reliability of all employees
who have access to personal data. Given the greater
importance of biometric data, this obligation is likely
to be more stringent, with a greater degree of training
required for employees.
Personal data shall not be transferred outside the
EU unless that country ensures an adequate level of
protection.
This principle is particularly relevant for multi-
national companies with offices and staff in different
countries. For example, Microsoft was fined by
Version 2 – Summer 2008

Biometric Technology Application Manual Section 7 31
Spanish data protection authorities for sending details
about its Spain-based staff to company headquarters
in the United States. The United States did
not have an adequate level of protection. If data/
information must be transferred, a Transborder Data
Flow Agreement should be put into place, containing
appropriate contractual provisions to secure compliance
with the other seven principles and adopting
the EU Commission’s approved clauses.
Trans-Border Data Flow
The United States currently, as of this writing, does not
have a comprehensive personal data protection law
(PDPL). Consequently, it is not considered to be a country
having a law that offers “equivalent protection” of
personal data. Unless other measures are taken, the
transmission of personal data to the United States for automatic
processing may be prohibited by the PDPLs of
some countries, even if registration is not necessary under
the relevant PDPLs to conduct identical data processing
functions within those countries.
In some cases, obtaining permission of the data subjects/users
is sufficient to permit an otherwise impermissible
trans-border data flow to occur. However, in some
countries such as Switzerland, the duty to avoid sending
personal data to a recipient without having “equivalent
protection” in place is absolute, and even obtaining individuals’
consent is not sufficient. 98
In order to provide “equivalent protection” when
Version 2 – Summer 2008

Section 7 32 Biometric Social and Cultural Implications
personal data is to be transmitted to the United States,
the sender may have to enter into a written agreement
with the United States recipient, whereby the recipient
affirmatively agrees to abide by data processing
standards comparable to those required by CoE No. 108. 99
Formal adoption of written data protection policies and
implementation of additional security measures may
also be necessary. In those countries where obtaining
consent is sufficient, obtaining the consent of all affected
customers may be the only way to provide a basis for a
trans-border data transfer to the United States, which
would otherwise be impermissible.
CoE No. 108
Under personal data protection laws, the gathering, storage,
processing, and transmission of personal data is
subject to certain rules that CoE No. 108 made universal,
including:
•
•
The data must be collected in a “fair” manner (i.e., not
through deceptive or illegal means).
The data can only be used for the purpose for which
it was collected and only for the time reasonably
necessary.
98 Foreign Laws Affecting Data Processing and Transborder Data Flows.
Paul H. Silhan.
99 CoE No. 108. Council of Europe. Directive that established minimum
standards for personal data protection. Signatory countries agreed to
implement this through domestic legislation and enunciates certain
rights individuals have with regard to their personal data.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 7 33
•
•
•
•
Persons are entitled to receive a report, on request,
on what data has been collected by a particular company
or government agency about them.
One’s personal data cannot be disclosed to third parties
unless authorized by statute or the individual has
given consent (although the consent can sometimes
be implied).
Persons have the right to make corrections to their
personal data and, in some cases, to have deleted or
disputed data flagged as such.
The transmission of personal data to locations where
“equivalent protection” of personal data cannot be
assured is prohibited.
Data Protection Authority
In several countries, including the United Kingdom, many
forms of personal data processing must be registered
with a data protection authority unless an exemption is
available or the individual has given consent to use and
process his/her personal data in a manner that otherwise
would be prohibited by the data protection laws.
Registration typically involves filing information about
the data processing operation, such as what types of data
are being collected and processed, what types of security
are in place, who has access to the data, and where the
data is being transmitted. Failure to register, if required,
subjects the company to fines and, in some countries
Version 2 – Summer 2008

Section 7 34 Biometric Social and Cultural Implications
such as Germany, to possible jail sentences. 100
Summary
Biometric technology is legally neutral. How it is used (or
more accurately misused) can raise questions of legality
and a possible determination of whether such use meets
all of the stipulations and prohibitions relative to that usage.
Similarly, biometric technology is not an intrinsic
threat to privacy or civil liberties and claims to the contrary
are not helpful in finding the appropriate niche for
promoting in identity assurance. Beyond the issue of “anonymity,”
biometrics issues are left to rely on standards of
reasonableness and common sense when specific usage
is not addressed by the law. This is not a position to be
taken lightly and the biometric community and owner/
operators have a fundamental obligation to integrate
the technology with minimal negative impact on the using
population in their society.
Ultimately, issues regarding usage alternatives and propriety
will be resolved in individual case law or by antiabuse
legislation at the national level. In any event, and
until a more comprehensive resolution is available, compliance
with the rules that are in place and a liberal interpretation
of the “reasonable and common sense” dictum,
is appropriate for all participants in the biometric community.
100 Foreign Laws Affecting Data Processing and Transborder Data Flows.
Paul H. Silhan.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 7 35
Section 7, Part II: Societal Issues—Privacy
Considerations
The right of the people to be secure in their persons, houses,
papers, and effects, against unreasonable searches and
seizures, shall not be violated. 101
Privacy advocates claim that taking biometric data from
an individual without the express consent of that individual
is a violation of the Fourth Amendment to the U.S.
Constitution. While this matter has not been settled in the
courts, it seems reasonable to presume that future privacy
rulings will fall under laws associated with searches
and seizures, and, therefore, the Fourth Amendment.
During the past 35 years, the United States Congress
has enacted some privacy laws that detail the manner in
which an agency of the federal government must maintain
records that it collects on its citizens.
The Federal Privacy Act of 1974, which covers federal
government agencies only and not private individuals or
industry, or state and local government agencies, defines
“record” as:
“...any item, collection, or grouping of information
about an individual that is maintained by an agency,
including, but not limited to, his education, financial
transactions, medical history, and criminal or employment
history and that contains his name, or the identifying
number, symbol, or other identifying particular
assigned to the individual, such as a finger or voice
print or photograph.”
101 The United States Constitution. 1791.
Version 2 – Summer 2008

Section 7 36 Biometric Social and Cultural Implications
There remains vast disagreement among the courts as
to how broadly to interpret the Privacy Act’s definition of
“record.” Accordingly, an examination of the holdings of
the lower courts is critical, though not definitive. For example,
the Second and Third Circuits have both applied
a broad interpretation of the term “records.” Conversely,
the Ninth and Eleventh Circuits have adopted narrow
constructions of the term “records,” thereby limiting the
Privacy Act to cover personal information maintained by
the government.
More recently, the Fifth Circuit issued a decision where
interpretation of the term “record” was a key issue. In Jacobs
v. National Drug Intelligence Center, the Fifth Circuit
Court of Appeals adopted a broad interpretation of the
term “record” by looking at the legislative history, which
the court believes supports a broader interpretation than
the one advanced by the National Drug Intelligence Center.
At issue was whether information about Jacobs that
was contained in an executive summary of an internal report
leaked by the National Drug Intelligence Center was
a record. The court held that the executive summary was
a record constituting a violation of the Privacy Act. 102
According to the OMB’s guidelines, even publicly available
information, such as newspaper clippings or press
releases, can constitute a “record.” 103 Several courts, in-
102 Jacobs v. National Drug Intelligence Center, 423 F. 3rd 512 (5th Cir.
2005)
103 See OMB Guidelines, 40 Fed. Reg. 56, 741, 56, 742 (1975) (“[c]
ollections of newspaper clippings or other published matter about an
individual maintained other than in a conventional reference library
would normally be a system of records”).
Version 2 – Summer 2008

Biometric Technology Application Manual Section 7 37
cluding the Eleventh Circuit Court of Appeals, have agreed
with this interpretation. 104 Under such an interpretation, a
biometric would constitute a record subject to the Privacy
Act even if it were construed as publicly available information,
since biometrics are certainly no more public than
published information.
It should be noted that many biometric “records” are often
one-way encrypted digitized representations that
reveal nothing about the person. As such, they may be
less likely to be deemed “records” under the Privacy Act.
In iris identification, for example, there is no need to have
any personal information maintained in the database. All
that is needed is the encrypted template for the access
control system to function. Thus, to fall under the Privacy
Act, such encrypted template (separate from the biometric)
would itself have to be deemed a record. Because the
encrypted template cannot be traced to the person from
whom it was taken, it is highly questionable whether an
encrypted template is a record if there is no other personally
identifying information or other personal information
attached to it.
The Act prohibits an agency of the U.S. Government from
providing citizen records to a third party without the individual’s
consent, allows a person to correct erroneous information
about him/her, and legislates that all information
about an individual must be made available to that
individual. Under the law, federal agencies are allowed to
request an exemption, if they are involved in law enforce-
104 See Clarkson v. IRS, 678 F.2d 1368, 1372 (11th Cir. 1982) (permitting
challenge to agency’s maintenance of newletters and press releases);
Murphy v. NSA, 2 Gov’t Disclosure Serv. (P-H) paragraph 81, 389, at 82,
036-37 (D.D.C. Sept. 29, 1981) (permitting challenge to agency’s maintenance
of newspaper clippings).
Version 2 – Summer 2008

Section 7 38 Biometric Social and Cultural Implications
ment or national security defense, generally. The Central
Intelligence Agency, for example, is expressly exempt
from the law. 105
In August 2007, the Department of Homeland Security
(DHS) requested an exemption from the law for its Arrival
and Departure Information System (ADIS). 106 ADIS is a
way of compiling data on aliens 107 flying into the United
States who could be national security threats. DHS then
shares the information with law enforcement, immigration
controllers, intelligence officers and other concerned
constituencies. 108 ADIS stores biographic, biometric indicator
and encounter data on aliens who have applied
for entry, entered or departed the Unites States. Primarily
and specifically, the system was developed to investigate
individuals who might have violated their immigration
status by staying in the United States longer than authorized.
109 ADIS will supplement the Passenger Name Record
Program (PNRP), a privately developed partnership
between airlines to track and screen their passengers.
The International Air Transport Association, an interna-
105 See Clarkson v. IRS, 678 F.2d 1368, 1372 (11th Cir. 1982) (permitting
challenge to agency’s maintenance of newletters and press releases);
Murphy v. NSA, 2 Gov’t Disclosure Serv. (P-H) paragraph 81, 389, at 82,
036-37 (D.D.C. Sept. 29, 1981) (permitting challenge to agency’s maintenance
of newspaper clippings).
106 U.S. Government Printing Office, “Privacy Act of 1974: Implementation
of Exemptions,” http://edocket.access.gpo.gov/2007/E7-16461.htm.
107 An “alien” is defined by the Immigration and Nationality Act as
anyone who is not a citizen or national of the United States. 8 U.S.C.
1101 (a)(3).
108 U.S. Department of Homeland Security, “Privacy Impact Assessment
for the Arrival and Departure Information System (ADIS): August
1, 2007,” http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_
usvisit_adis_2007.pdf.
109 Ibid.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 7 39
tional trade group of airlines, standardized what information
would be collected and the layout of PNRP. On
May 28, 2004, an international agreement was signed between
the United States and European Union concerning
PNRP and the usage of the information. PNRP is shared
between the United States and EU, if privacy practices are
upheld - specifically Directive 95/46/EC of the EU, 110 commonly
known as the Data Protection Directive, and the
Organisation for Economic Co-operation and Development
Guidelines on the Protection of Privacy and Transborder
Flows of personal Data. 111
In July 2007, the U.S. Department of Homeland Security
and the European Union entered into an agreement concerning
the transfer and sharing of PNRP data. Under the
terms of the agreement, DHS agreed to certain undisclosed
privacy assurances but at least adhering to the EU
Data Protection Directive and the OECD Guidelines. In return,
the EU will ensure that air carriers operating flights
to the United States will make their PNRP data available
to DHS. 112
110 Officcial Journal of the Eurpoean Communitities, “Directive 95/46/
EC of the Eurpoean Parliament and of the Council of 24 October
1995,” http://ec.europa.eu/justice_home/fsj/privacy/docs/95-46-ce/
dir1995-46_part1_en.pdf..
111 OECD Directorate for Science, Technology and Industry, “OECD
Guidelines on the Protection of Privacy and Transborder Flows of Personal
Data,” http://www.oecd.org/document/18/0,3343,en_2649_3425
5_1815186_1_1_1_1,00.html.
112 U.S. Department of Homeland Security, “Agreement Between the
United States of America and the European Union on the Processing
and Transfer of Passenger Name Record (PNR) Data by Air Carriers to the
United States Department of Homeland Security (DHS),” http://www.
dhs.gov/xlibrary/assets/pnr-2007agreement-usversion.pdf.
Version 2 – Summer 2008

Section 7 40 Biometric Social and Cultural Implications
The Health Insurance Portability and Accountability
Act (HIPAA) of 1996 laid the groundwork for the privacy
of health records. Although lacking in specific details,
HIPAA mandates the development of standards for the
exchange and release of patient health records.
For the most part, the job of ensuring the confidentiality
and integrity of personal data in the commercial marketplace
is left to each state.
A complete summary of state privacy laws is beyond the
scope of this publication. However, they can be found
at the Electronic Privacy Information Center web site at
www.epic.org/privacy/consumer/states.html.
EU Data Protection Directive
The European Union Data Protection Directive (also
known as the EU Privacy Directive) provides comprehensive
privacy protection for personal information applicable
to all 27 EU member states. The Directive’s definition
of personal data includes biometric identification
records, and applies to American organizations handling
data in the EU.
Under the Directive, personal data is defined as any information
relating to an identified or identifiable natural
person. An identifiable person is one who can be identified,
directly or indirectly, in particular reference to an
identification number or to one or more factors specific
to his/her physical, biological, mental, economic, cultural,
or social identity.
While the term “biometric” is not specifically cited in the
text, biometric identification records will likely be im-
Version 2 – Summer 2008

Biometric Technology Application Manual Section 7 41
plicated by the Directive’s definition of personal data.
Meaning, biometric vendors, systems integrators, and
any organization using or planning to use biometrics in
the EU should understand this Directive and comply with
its terms.
American business should closely examine this Directive.
Under the terms, all EU member states as well as any nonmember
state doing business in the EU are required to
follow “minimum standards” with respect to safeguarding
personal data. Specifically, Article 25 of the EU Data
Protection Directive forbids any transfer of personal data
from the EU to countries that do not guarantee or do not
have in place adequate safeguards for such data. For the
United States, where privacy laws may not conform to
the EU’s policies, the Directive poses obstacles since U. S.
companies may be denied access to the EU market or be
subjected to penalties for failing to protect the privacy
of EU citizens. The European Commission is empowered
to determine whether or not a non-EU country ensures
an adequate level of protection.
The Data Protection Directive bars the transfer of data
to non-EU countries without similar data protections in
place. The European Commission maintains a so-called
“white list” of countries that it believes have laws that adequately
protect data privacy. The United States’ exclusion
from this list has had a substantial impact on the free
flow of information containing personal data from the EU
to the United States.
On a business level, member countries have an affirmative
duty to make sure that any company in the United
States ensures an adequate level of protection before the
member state may transfer personal data to the non-EU
country.
Version 2 – Summer 2008

Section 7 42 Biometric Social and Cultural Implications
On a national security level, the EU has also been quite
successful in hindering certain United States’ plans to
implement programs that would require the use of personal
data (including biometrics) from EU citizens and
has essentially compelled the United States to agree to
provide specific protections before certain types of data
transfers have been permitted.
Biometrics and Privacy
The role or impact that biometrics plays with regard to
personal privacy is substantially determined by the scope
and definition individuals give to the term “privacy.” Not
surprisingly, that definition differs widely. To those who
consider “privacy” as equivalent to “anonymity,” there is
probably little ground for compromise. For those who
believe that any meaningful information about our person,
held by others, is an intrusion if not an invasion of
our privacy, that concern is acknowledgable and the
threat can be minimized. Informal evidence and public
sampling suggests that the mainstream view of the issue
is more balanced in that there is recognition of possible
impact, but acceptance of the technology is greater than
the threat of personal intrusion. Before examining that
balance, “privacy” must be better defined.
A Working Definition of Privacy
The word “privacy” is difficult to define as it has varying
meanings depending on culture, environment, and a
given situation. Stated simply, “Privacy is the interest that
Version 2 – Summer 2008

Biometric Technology Application Manual Section 7 43
individuals have in sustaining a ‘personal space’ free from
interference by other people and organizations.” 113
“Privacy”, however, is a far more complex issue with several
dimensions, 114 including:
• Privacy of the person:
Sometimes referred to as
“bodily privacy.” This is concerned with the integrity
of the individual’s body. Issues include compulsory
immunization, blood transfusion without consent,
and compulsory provision of samples of body fluids
and body tissue.
• Privacy of personal behavior:
This relates to all aspects
of behavior but particularly to sensitive matters
such as political activities and religious practices, in
both private and public situations. It includes what is
sometimes referred to as “media privacy.”
• Privacy of personal communications:
Individuals
claim an interest in being able to communicate
amongst themselves, using various media, without
routine monitoring of their communications by
other persons or organizations. This includes what is
sometimes referred to as “interception privacy.”
• Privacy of personal data:
Individuals claim that
data about themselves should not be automatically
available to other individuals and organizations and,
where data is possessed by another party, the individual
must be able to exercise a substantial degree
113 As defined by Roger Clarke. Introduction to Dataveillance and Infor-
mation Privacy. Used with permission.
114 As defined by Roger Clarke. Introduction to Dataveillance and Infor-
mation Privacy. Used with permission.
Version 2 – Summer 2008

Section 7 44 Biometric Social and Cultural Implications
of control over that data and its use. This is sometimes
referred to as “data privacy” and/or “information
privacy.”
From the standpoint of biometrics, privacy includes an
aspect of autonomy (not anonymity), that is, control of
information about one’s self and control over our personal
identity. Control over “information about ourselves”
is central to the discussions about information
privacy, for example. People have a vested interest in
determining how, when, why, and to whom information
about themselves, in the form of a biometric identifier,
can or would be disclosed. 115
An important implication of the definition of privacy is
that it needs to be balanced against other, competing
forces. For example: 116
•
•
•
The privacy interest of one person or group of people
may conflict with some other interest of their own,
and the two may have to be traded off (e.g., access
to credit or quality of healthcare)
The privacy interest of one person or group of
people may conflict with the privacy interests of
another person or group of people (e.g., healthcare
information that is relevant to multiple members of
a family)
The privacy interest of one person or group of people
may conflict with other interests of another person,
115 From Biometrics: Identity Assurance in the Information Age. John D.
Woodward, Jr. McGraw-Hill. 2003. Pg. 215. Used with permission.
116 As defined by Roger Clarke. Introduction to Dataveillance and
Information Privacy. Used with permission.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 7 45
group of people, organization, or society as a whole
(e.g., creditors, an insurer, and protection of the public
against serious disease)
Privacy protection is a process of finding appropriate
balance between privacy and multiple competing
interests.
When considering a biometric-based identification system
for any use—public, private, large scale or small—
and balancing privacy and confidentiality of data, the
issue is not so much the use of a biometric, or which
biometric is being used, but how the back-end data is
coordinated and what decisions are made as a result of
checking against this data. 117
If the biometric-based application is in the public sector,
there is a responsibility to ensure that any such system
is implemented in an ethical manner with full attention
given to areas such as data protection and privacy.
One of the biggest fears about biometrics is that personal
information collected in connection with or for purposes
of biometric identification will be used for reasons other
than the original intent. This concern is often referred to
as “function creep” or “mission creep.” A classic example of
function creep are Social Security numbers in the United
States, which were created for the sole purpose of administrating
Social Security benefits, but are now used as the
de facto numeric identities for Americans (although, as
of this writing, new government regulations are requir-
117 From Practical Biometrics: From Aspiration to Implementation. Julian
Ashbourn. Springer-Verlag. 2004 Pg. 4. Used with permission.
Version 2 – Summer 2008

Section 7 46 Biometric Social and Cultural Implications
ing companies, such as health insurance carriers, to use
personal identifiers other than social security numbers to
identify their insured).
If there is no database and biometrics are used simply to
verify an individual’s identity in situations where verification
of identity is permissible, there are no legal issues.
Further, biometrics may be used to identify a person (i.e.,
using a central database) in circumstances where the
public has a justifiable need to know who a person is and
whether that person poses a threat. A number of United
States government privacy initiatives have been implemented
to address such situations. These include, but
are not limited to, National Security Directive 59/Homeland
Security Presidential Directive 24, the US Visit Program,
the Homeland Security Presidential Directive-12
(HSPD-12), the Registered Traveler (RT) Program and the
Real ID Act.
National Security Presidential Directive 59/
Homeland Security Presidential Directive 24
NSPD 59/HSPD 24 are the first presidential directives to
deal exclusively with biometrics - more specifically, their
application to identification and screening to enhance
national security. The purpose of the framework is to
“ensure that Federal executive department agencies...
use [interoperable] methods and procedures in the collection,
storage, use, analysis, and sharing on biometric
and associated biographic and contextual information of
individuals... 118 Biometrics will be used by various federal
118 The White House Office of the Press Secretary, “National Security Presidential
Directive and Homeland Security Presidential Directive, “ http://
www.whitehouse.gov/new/releases/2008/06/20080605-8.htm.l.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 7 47
agencies to screen for “known and suspected terrorists
(KSTs)” - with the information on those individuals being
collected, stored, and shared to prevent terrorist acts.
The directive also promotes greater inter-agency flow
of biometric information by requiring agencies to “make
available to other agencies all biometric and associated
biographic and contextual information associated with
persons for whom there is an articulated and reasonable
basis for suspicion that they pose a threat to national
security.” The sharing, though, must respect applicable
confidentiality and privacy laws. These new policies are
to be implemented by the assistant to the president for
Homeland Security and Counter-terrorism, the assistant
to the president for National Security Affairs and the Director
of the Office of Science and Technology. 119
US-Visit Program
The program is the culmination and implementation of
a number of different legislative acts intending to ensure
the accurate tracking of foreign nationals entering and
exiting the United States. 120 The program was originally
limited to holders of certain non-immigrant visas and
was soon expanded to include many non-visa countries,
119 Ibid.
120 For a complete recitation of the background and the planned
implementation of US-VISIT see Federal Register/Vol. 69, No. 2,
Implementation of the United States Visitor and Immigrant Status
Indicator Technology Program (“US-VISIT”); Biometric Requirements;
Notice to Nonimmigrant Aliens Subject To Be Enrolled in the United
States Visitor and Immigrant Status Indicator Technology System;
Interim Final Rule and Notice.
Version 2 – Summer 2008

Section 7 48 Biometric Social and Cultural Implications
including Canada and the United Kingdom. US-VISIT has
since been further expanded to cover virtually all visitors
holding non-immigrant visas, regardless of country of
origin (with limited exemptions, for certain visa holders
including, most Canadians, some Mexicans, and people
under the age of 14 or over the age of 79). 121 This will
include millions of permanent residents and green card
holders, who will be required to be fingerprinted and
photographed upon re-entering the United States by
air or sea. Foreign nationals covered under the program
who refuse to give the requested biometric information
upon entry may be deemed inadmissible to the United
States for failure to provide the required documentation.
The 9/11 Commission recommended that the US-VISIT
program be expanded to include exit data as well as entry
data, and, more importantly, that Americans not be
exempt from the program. The Department of Homeland
Security began testing exit procedures at several
airports around the country, 122 but, as of May 6, 2007,
ended this practice. 124 On May 21, 2008, the US-VISIT Program
issued a “request for Information/Sources Sought”
to conduct market research. The United States government
issued this request to identify potential solutions,
service providers, and suppliers interested in participating
in the design and development of a biometric land
exit solution. 124
121 http:www.dhs.gov/xtrvlsec/programs/content_multi_image_00006.
shtm.
122 http://www.dhs.gov/xtrvlsec/programs/editorial_0525.shtm.
123 Id.
124 http://www.fbo.gov/index?tab=core&s=opportunity&mode=form&
id=833c071bbc5913a9d93742f903ab7da0&cck=1&au=&ck=.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 7 49
Homeland Security Presidential Directive-12
HSPD-12 promulgated a program designed to create a
single standard for identification for all federal government
employees and contractors by use of a “smart card”.
These smart cards will allow for identification with photographic
images printed on the card then include biometric
data, PINs, and other electronic credentials (such
as digital certificates) stored on the card. The overall goal
of HSPD-12 is to increase security, reduce identity fraud,
protect the personal privacy of the cardholder, and generally
achieve appropriate security assurance by verifying
the identity of individuals seeking physical access to government
facilities and electronic access to government
information systems. 125 HSPD-12 initially required agencies,
at a minimum, to issue standards-compliant personal
identity verification (PIV) cards to all new employees
and contractors by October 27, 2006. This date has been
extended to October 2008.
The Registered Traveler Program
The RT Program currently being deployed by the Transportation
Security Administration (TSA) in conjunction
with private industry is intended to provide expedited
security screening for select airline passengers who voluntarily
submit certain biometric and biographical information
to a TSA-approved vendor, successfully complete
a security threat assessment, and pay an enrollment
125 http://www.osec.doc.gov/osy/HSPD12/HSPD-12Information.htm.
Version 2 – Summer 2008

Section 7 50 Biometric Social and Cultural Implications
fee. 126 Only United States citizens, United States nationals,
and lawful permanent residents are eligible to participate,
and all participants must be over the age of 12. 127
Under this program, private companies, in conjunction
with TSA, permit individuals to pay a “membership” fee
and undergo a TSA-administered security threat assessment
in advance, thus permitting members to experience
curtailed security screening at airports. 128 Travelers
who wish to participate in this program must submit fingerprints
and iris images during the enrollment process
and security threat assessment phase. Only portions of
these biometric images are stored on the card so that the
original image cannot be recreated from the information
on the card. 129 130 The Registered Traveler Program offers
dedicated lanes at certain airports to minimize waiting
times for members. 131 The program is available to
United States citizens, permanent resident aliens, and
United States nationals. 132 Private companies administering
programs include FLO (administered by The FLO
126 Overview of the Registered Traveler Program from the TSA website:
www.tsa.gov. TSA estimates that the enrollment fee will be around $30.
However, private companies selling the services to the public are expected
to charge more.
127 From the Registered Traveler Program Model issued by TSA in May
2006.
128 http://www.tsa.gov/what_we_do/rt/rt-travelers.shtm.
129 http://www.rtgocard.com/faq.htm#How_are_my_fingerprints_
and_iris_image_biometrics_used.
130 http://www.tsa.gov/assets/pdf/pia_tsa-rt_20060901.pdf.
131 Id.
132 http://www.tsa.gov/what-we-do/rt/rt-travelers.shtm.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 7 51
Corporation ), 133 CLEAR (administered by Verified Identity
Pass), 134 and RtGo (operated by Unisys Corporation). 135
The annual fee for these programs ranges from $100 to
$128 and includes a $28 fee charged by TSA.
The Real ID Act
The Real ID Act was signed into law on May 11, 2005, after
passing through the Senate by a 100-0 vote. 136 The Real
ID Act imposes certain federal requirements on state-issued
driver’s licenses and identification cards. Immigration
and civil liberties groups believe it is a prelude to a
national identification card and are calling it an attack
not only on privacy, but also on refugees and asylumseekers.
Supporters, on the other hand, believe the Real
ID Act will make United States borders safer. 137
The fundamental purpose and operation of the Act has
changed little since it passed, and state governments
and departments of motor vehicles remain concerned
over the logistics of implementing it. In September 2006,
a report titled “The Real ID Act: National Impact Analysis”
was issued by a coalition of state governors, state legislative
groups, and representatives from the American As-
133 http://www.flocard.com.
134 http://www.flyclear.com.
135 http://www.rtgocard.com.
136 With respect the bill’s unanimous passage in the Senate, it should be
noted that critics of the legislation point to the fact that it was attached
to “must-pass” legislation for funding military action in Iraq.
137 http://www.washingtontimes.com/upi-breaking/20050509-050110-
3715r.htm.
Version 2 – Summer 2008

Section 7 52 Biometric Social and Cultural Implications
sociation of Motor Vehicle Administrators (the “Real ID
Report”). The Real ID Report concludes that states have
been given no real implementation guidelines and it
projects that the cost of implementation will be around
$11 billion, which is more than 100 times the $100 million
Congress estimated when it passed the bill. The report
breaks down the total cost by analyzing and estimating
the cost of implementation of each of the Act’s requirements.
the report recommends that Congress extend
the deadline to give states more time to not only implement
the new identification cards, but also to assess security
safeguards. 138 After several prior extensions, states
were supposed to be in full compliance with the Real ID
Act by May 11, 2008. However, this deadline can be delayed
until May 11, 2011 by timely filing requests for extensions.
In the Final Rule on the Minimum Standards
for Driver’s Licenses and Identification Cards Acceptable
by Federal Agencies for Official Purposes, published in
the Federal Register on January 29, 2008 and effective
March 31, 2008, the Department of Homeland Security
offered extensions in compliance to states as long as
they apply by March 31, 2008. These extensions will terminate
on December 31, 2009, unless the states apply
for an additional extension by October 11, 2009. These
additional extensions will terminate May 11, 2011. After
that, federal facilities and agencies will no longer accept
state driver’s licenses or identification cards that do not
comply with the Real ID Act.
138 A separate report issued by INPUT [INPUT is a company providing
market information to help private companies procure government
contracts and is sthe self-proclaimed “authority on government business.”]
estimates the cost at only $2.5 billion, which is still significantly
higher than Congress’s original estimate. See INPUT Press Release August
30, 2006..
Version 2 – Summer 2008

Biometric Technology Application Manual Section 7 53
Generally, privacy issues are more likely to arise when
identification is covert or when the biometric is attached
to highly sensitive information, such as in the case of
identifying people through DNA or linking a biometric
to criminal, medical, or financial information. However,
most of the activities where biometrics is expected to be
used for national security are innocuous and would be
done with the full knowledge and consent of the individual.
For example, the identification of an airline passenger
is no longer considered highly sensitive, especially
considering that passengers are already required to
identify themselves to airport personnel, and considering
further that potentially hundreds of other lives could
be at stake. Air travel safety is clearly an important public
issue. Although under certain circumstances it is possible
that such travel information when available to others
could compromise someone’s need to travel secretly,
such isolated and remote circumstances cannot justify
compromising national security and can be dealt with by
the individual.
From a practical standpoint, public opinion or confidence
in any system of identification assurance is important because
without at least tacit acceptance and approval, operating
success will suffer or fail. Therefore, it is important
that issues of individual privacy be taken into account in
any system that is employed regardless of whether the
law requires it. Personal information related to biometric
use should be sequestered or obscured, or made anonymous
to the greatest extent possible. Databases should
be used only when necessary and only relevant information
should be kept in any database and disposed of
when it is no longer needed. Individuals should be fully
informed about the collection process, allowed access to
their information, and have the ability to correct any errors.
There must be oversight and strict controls and pro-
Version 2 – Summer 2008

Section 7 54 Biometric Social and Cultural Implications
cedures in place governing how the information is used
and shared. Finally, there must be effective monitoring,
enforcement, and consequences for abuses, misuses, or
violations of the controls, policies, or procedures associated
with use of the biometric system. Penalties should
include fines, termination of employment, and in severe
situations, prosecution under the law to help sustain
public confidence and personal protection.
One of the most critical aspects of biometric privacy protection
is the issue of database management and security.
Generally, separation and effective isolation of personal
information databases from biometric template/
reference information databases should be a design
goal. To address this issue NBSP has developed a new
concept for third party identity authentication in a virtually
anonymous environment. Anonymous Recognition
® (AR) is intended to address the need for a system
that provides a centralized database of biometric data
that is separate and distinct from biographical and other
private data, a system that isolates personal data (PII)
in such a fashion that it cannot be compromised by the
authentication process itself. AR includes a secure repository
of fully searchable and readily available multimodal
biometric data, collected on a voluntary basis, for
real time authentication of an individual’s claim of identity.
It establishes and maintains a link with the unique
identity of each registered individual without access to
actual personal and private information. AR will accommodate
multiple biometric modalities and provide accurate,
high-volume, high-speed, authentication while fully
protecting the private information of the individual by
maintaining personal anonymity within the system.
Properly implemented, verification of a person’s identity
through biometrics provides the government or organiza-
Version 2 – Summer 2008

Biometric Technology Application Manual Section 7 55
tion with no more information about a person than it had
before. Biometric technology becomes a vastly enhanced
tool to accomplish the mission of thwarting false authentication.
With proper education and system orientation, users
will understand and accept this fact, especially when
they can be assured that policies and procedures are in
place to prevent abuse, protect personal information, and
minimize the impact on privacy and civil liberties.
Biometrics Role in Privacy and Identity Protection
Biometric technology, effectively employed, has a significant
capability to protect the personal identity and
privacy of its users. An initial level of protection is accomplished
simply by enrolling the individual into a biometric
identity assurance infrastructure. For most individuals,
this is the first opportunity they have experienced
to have their true and unique identity established in a
highly accurate and readily available form, secure from
accidental, casual, or intentional theft or misuse. This is
not a trivial benefit considering the threat people face
today. A second benefit, when effectively employed, is
the degree of control over their identity information and
all related personal data bestowed on the individual by
their participation in the identity assurance system. Essentially,
they must voluntarily contribute their live feature
to unlock the privilege of access to their data. Nothing
exists today that provides an equivalent degree of
protection in this specific function. A third benefit relates
to the audit trail associated with any inquiry for access to
personal data. Creation of a record of access when such
access requires biometric insertion provides another
layer of security. A fourth benefit addresses the security
and convenience issue of password and PIN elimination
available in many biometric applications. The necessity
Version 2 – Summer 2008

Section 7 56 Biometric Social and Cultural Implications
and almost always insecure need present today to maintain
an extensive record of passwords or alphanumeric
codes can be effectively replaced by biometric enrollment
when the scale of use becomes universal.
The inherent capabilities of the technology, enhanced
by evolving improvements and enhancements in application
techniques, have enormous potential for use
in protecting personal privacy, safeguarding against the
economic and emotional loss experienced from identity
theft, and restoring rightful identity status in the aftermath
of such an experience.
Best Practices for Biometrics Deployment
Relating to Privacy 139
Although it is widely acknowledged that addressing privacy
concerns is a major factor in the deployment of systems
using biometrics, there is still much confusion, uncertainty,
and resulting frustration regarding the impact
biometrics have on privacy.
“Best practices” can help decrease confusion and build
awareness of how biometrics impact privacy—whether
real or perceived—and how best to deploy, explain, and
maintain a privacy-friendly biometric system. In addition
to the technical and cost aspects of deploying a biometric-based
system, privacy is one of the most important
issues to be addressed.
139 According to Best Practices for Privacy-Sympathetic Biometric De-
ployment, IBG BioPrivacy Initiative.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 7 57
The following guidelines 140 provide companies and organizations
(public or private) with a better understanding
of the types of issues that must be addressed when
deploying, using, and maintaining a biometric system.
These guidelines are applicable to most biometric applications,
as some may not be appropriate for certain
situations, uses, or technologies. The guidelines [developed
by International Biometric Group] that follow can
be used as a checklist by biometric technology vendors,
system designers and integrators, buyers, users, and others
to help protect against privacy-invasive systems.
Scope and Capabilities 141
1. Scope Limitation:
Biometric deployments should
not be expanded to perform broader verification or
identification-related functions than originally intended.
Any expansion or retraction of scope should
be accompanied by full and public disclosure under
the oversight of an independent accounting body,
allowing individuals to opt-out of the system usage,
if possible.
2.
No Establishment of a Universal Unique Identifier:
Biometric information should not be used as a
universal unique identifier. 142 Sufficient protections
140 Accofding to Best Practices for Privacy-Sympathetic Biometric De-
ployment, IBG BioPrivacy Initiative.
141 According to Best Practices for Privacy-Sympathetic Biometric
Deployment, IBG BioPrivacy Initiative.
142 Universal Unique Identifiers facilitate the gathering and collection
of personal information from various databases and can represent a
significant threat to privacy, if misused.
Version 2 – Summer 2008

Section 7 58 Biometric Social and Cultural Implications
should be in place to prevent, to the degree possible,
biometric information from being used as a universal
unique identifier.
3. Limited Storage of Biometric Information:
Biometric
information should only be stored for the specific
purpose of usage in a biometric system and not be
stored any longer than necessary. Biometric information
should be destroyed, deleted, or otherwise
rendered useless when the system is no longer operational;
specific user information should be destroyed,
deleted, or otherwise rendered useless
when the user is no longer expected to interact with
the system. 143
4. Evaluation of Potential System Capabilities:
When
determining the risks a specific system might pose
to privacy, the system’s potential capabilities should
be assessed in addition to risks involved in its intended
usage. 144
5.
Limit Collection or Storage of Extraneous Information:
The non-biometric information collected
143 This also applies to references generated during comparison attempts,
such as a reference generated in the verification stage of a 1:1
application.
144 Few systems are deployed whose initial operations are manifestly
privacy-invasive. Instead, systems may have latent capabilities, such
as the ability to perform 1:N searches or the ability to be used with
existing databases of biometric information, which could have an
impact on privacy. Although systems with the potential to be used
in a privacy-invasive manner can still be deployed if accompanied by
proper precautions, their operations should be monitored, and the
maximum protections possible should be taken to prevent internal or
Version 2 – Summer 2008

Biometric Technology Application Manual Section 7 59
for use in a biometric verification or identification
system should be limited to the minimum necessary
to make the system functional. 145
6. No Storage of Original Biometric Data:
If consistent
with basic system operations, biometric data in an
identifiable state, such as a facial image, fingerprint,
or vocal recording, should not be stored or used in a
biometric system other than for the initial purposes
of generating a reference. After reference generation,
the identifiable data should be destroyed, deleted,
or otherwise rendered useless. 146
Data Protection 147
7. Protection of Biometric Information:
Biometric information
should be protected at all stages of its lifecycle,
including storage, transmission, and matching.
148
145 In most systems, personal information will already exist independently
of the biometric information, such that there is no need to collect
personal information again.
146 This is to prevent the storage of fingerprints and facial images as
opposed to finger-scan and facial-scan references.
147 According to Best Practices for Privacy-Sympathetic Biometric
Deployment, IBG BioPrivacy Initiative.
148 The protections enacted to protect biometric information may
include encryption, private networks, secure facilities, administrative
controls, and data segregation. The protections that are used within a
given deployment are determined by a variety of factors, including the
location of storage, location of matching, the type of biometric used,
the capabilities of the biometric system, which processes take place in a
trusted environment, and the risks associated with data compromise.
Version 2 – Summer 2008

Section 7 60 Biometric Social and Cultural Implications
8. Protection of Post-Match Decisions:
Data transmissions
resulting from biometric comparisons should be
protected. Although these post-comparison decisions
do not necessarily contain any biometric data,
their interception or compromise could result in unauthorized
access to personal information. 149
9. Limited Access Systems:
Access to biometric system
functions and data should be limited to certain personnel
under certain conditions, with explicit controls
on usage and export set in the system. 150
10. Segregation of Biometric Information:
Biometric
data should be stored separately from personal information
such as name, address, and medical or financial
information. 151
11. System Termination:
A method should be established
by which a system used to commit or facilitate
privacy-invasive biometric matching, searches, or
linking can be depopulated and dismantled. 152
149 This protection is especially important in non-trusted environments
such as the Internet.
150 Multiple-user authentication can be required when accessing
or exposing especially sensitive data. Any access to databases that
contain biometric information should be subject to controls and strong
auditing.
151 Depending on the manner in which the biometric data is stored, this
separation may be logical or physical.
152 The responsibility for making such a determination may rest with
an independent auditing group and would be subject to appropriate
appeals and oversight.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 7 61
User Control of Personal Data 153
12. Ability to “Un-enroll”: Individuals should, where
possible, have the right to control usage of their biometric
information and the ability to have it deleted,
destroyed, or otherwise rendered useless upon request.
154
13. Correction of and Access to Biometric-related Information:
System operators should provide a
method for individuals to correct, update, and view
information stored in conjunction or association with
biometric information. 155
14. Anonymous Enrollment:
Depending on the operational
feasibility, biometric systems should be designed
such that individuals can enroll with some
degree of anonymity. 156
153 According to Best Practices for Privacy-Sympathetic Biometric De-
ployment, IBG BioPrivacy Initiative.
154 This is more applicable to opt-in systems that to mandatory systems.
In certain public sector and employment-related applications, there
is a compelling interest for data to be retained for verification or
identification purposes, such that the option of unenrollment would
render the system inoperable.
155 Failure to provide a means of updating personal information is
inconsistent with basic privacy principles and may lead to increased
likelihood of erroneous decisions.
156 In Web-based environments, where individuals can assume alternate
identities through e-mail addresses or usernames, there may be no
need for a biometric system to know with whom it is interacting so
long as the user can verify his or her original claimed identity.
Version 2 – Summer 2008

Section 7 62 Biometric Social and Cultural Implications
Disclosure, Auditing, Accountability, and
Oversight 157
15. Third Party Accountability, Audit, and Oversight:
The operators of certain biometric systems, especially
large-scale systems or those employed in the
public sector, should be held accountable for system
use. As internal or external agents may misuse biometric
systems, independent system auditing and
oversight should be implemented. 158
16. Full Disclosure of Audit Data:
Individuals should
have access to data generated through third-party
audits of biometric systems. 159
17. System Purpose Disclosure:
The purposes for which
a biometric system is being deployed should be fully
disclosed. 160
157 According to Best Practices for Privacy-Sympathetic Biometric De-
ployment, IBG BioPrivacy Initiative.
158 Depending on the nature of a given deployment, this independent
auditing body can ensure adherence to standards regarding data
collection, storage, and use.
159 Biometric systems that may pose a potential risk to privacy should
be monitored and audited by independent parties. The data derived
from such oversight should be available to facilitate public discussion
on the system’s privacy impact.
160 For example, if individuals are informed the system is to be used
for identity verification, it should not be used for 1:N identification.
Without full disclosure of the purposes for which a system is being
deployed, it is difficult to make informed assessments on the system’s
potential privacy impact.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 7 63
18. Enrollment Disclosure:
Ample and clear disclosure
should be provided when individuals are being enrolled
in a biometric system. Disclosure should take
place even if the enrollment references are not being
permanently stored, such as in a monitoring application.
161
19. Matching Disclosure:
Ample and clear disclosure
should be provided when individuals are in a location
or environment where biometric matching (either
1:1 or 1:N) may be taking place without their explicit
consent. 162
20. Disclosure of Use of Biometric Information:
Institutions
should disclose the uses to which biometric
data are to be put, both inside and outside a given
biometric system. Biometric information should only
be used for the purpose for which it was intended
and within the system for which it was collected unless
the user explicitly agrees to broader usage. There
should be no sanctions applied to any user who does
not agree to broader usage of his/her biometric information.
161 This includes employees enrolled in a facial-scan system through
badge card photos or driver’s license photos, or telephone callers enrolled
in a voice-scan sysstem. Informed consent to the collection, use,
and storage of personal information is a requirement of privacy-sympathetic
system operations.
162 This would include facial-scan technology used in public areas and
fingerprint information taken from employees.
Version 2 – Summer 2008

Section 7 64 Biometric Social and Cultural Implications
21. Disclosure of Optional/Mandatory Enrollment:
Ample and clear disclosure should be provided, indicating
whether enrollment in a biometric system
is mandatory or optional. If the system is optional,
alternatives to the biometric should be made readily
available. 163
22. Disclosure of Individuals and Entities Responsible
for System Operation and Oversight: As a precondition
of biometric system operation, it should be
clearly stated who is responsible for system operation,
to whom questions or requests for information
should be sent, and what recourse individuals have
to resolve grievances.
23. Disclosure of Enrollment, Verification, and Identification
Processes: Individuals should be informed
of the process flow of enrollment, verification, and
identification. This includes detailing the type of
biometric and non-biometric information they
will be asked to provide, the results of the successful
and unsuccessful positive verification, and the
results of matches and non-matches in identification
systems. In 1:N systems where matches may
be resolved by human intervention, the means
of determining match or non-match should be
disclosed.
24. Disclosure of Biometric Information Protection and
System Protection: Individuals should be informed
of the protections used to secure biometric information,
including encryption, private networks, secure
163 Individuals should be fully aware of their authentication options.
There should be no implication that enrollment in a given system is
compulsory if it is optional.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 7 65
facilities, administrative controls, and data segregation.
25. Fallback Disclosure:
When available, alternative authentication
processes should be available for individuals
to review if they are unable or unwilling to
enroll in a biometric system. These alternative procedures
should be neither punitive nor discriminatory
in nature.
To address privacy concerns associated with various
biometric-based programs, comprehensive privacy controls
should be put into place. Such controls include:
–
–
–
–
–
–
Educating system users through transparency of the
program, including development and publication
of a Privacy Policy that will be disseminated prior to
the time information is collected from users.
Establishing a privacy sensitivity awareness program
for system operators.
Establishing a privacy officer and implementation
of an accountability program for those responsible
for compliance with the published Privacy
Policy.
Periodically reviewing data to ascertain that the
collection is limited to what is necessary for stated
purposes.
If appropriate, establishing usage requirements
between the organizations and agencies authorized
to have access to the data.
To the extent permitted by law, regulations, or poli-
Version 2 – Summer 2008

Section 7 66 Biometric Social and Cultural Implications
•
•
cy, establishing an opportunity for covered individuals
to gain access to their information and/or allow
them to challenge its completeness or integrity.
Maintaining security safeguards (physical, electronic,
and procedural) consistent with federal and state
laws and policies to limit access to personal information
only to those with appropriate rights, and to
protect information from unauthorized disclosure,
modification, misuse, and disposal whether intentional
or unintentional.
Establishing administrative controls to prevent improper
actions due to data inconsistencies from multiple
information sources.
There are significant privacy and civil liberties concerns
regarding the use of biometric-based systems that must
be addressed before any should be deployed. There are
six primary areas of concern:
1. Storage:
How is the data stored, centrally or dispersed?
How should scanned data be retained?
2. Vulnerability:
How vulnerable is the data to theft or
abuse?
3. Confidence:
How much of an error factor in the technology’s
authentication process is acceptable? What
are the implications of false positives and false negatives
created by a machine?
4. Authenticity:
What constitutes authentic information?
Can that information be tampered with?
5. Linking:
Will the data gained from scanning be
Version 2 – Summer 2008

Biometric Technology Application Manual Section 7 67
linked with other information about spending habits,
etc? What limits should be placed on the private
use (as contrasted to government use) of such technology?
6. Ubiquity:
What are the implications of having an
electronic trail of a person’s every movement if
cameras and other devices become commonplace,
used on every street corner and every means of
transportation?
Examples of Privacy Codes or Best Practices
OECD 164 Guidelines
The OECD is an international organization, currently
made up of 30 member countries, that creates a forum
to “discuss, develop, and refine economic and social policies.”
The OECD Guidelines’ eight privacy principles are:
1. The Collection Limitation Principle:
This principle
states that there should be limits to the collection
of personal data and that any such data should be
obtained only by lawful and fair means and, where
appropriate, with the knowledge and consent of the
individual.
2. The Data Quality Principle:
This principle states
that personal data collected should be relevant to
the purposes for which it is to be used and, to the
extent necessary for such purposes, should be accurate,
complete, and up-to-date.
164 Organization for Economic Cooperation and Development (OECD)
Version 2 – Summer 2008

Section 7 68 Biometric Social and Cultural Implications
3. The Purpose Specification Principle:
This principle
states that the purposes for which data is collected
should be specified not later than at the time it is collected,
and that the subsequent use should be limited
to the fulfillment of those purposes or such other
purposes that are not incompatible with the stated
purposes and as are specified on each occasion of
change of purpose.
4. The Use Limitation Principle:
This principle states
that personal data should not be disclosed, made
available, or otherwise used for purposes other than
those purposes in accordance with the “Purpose
Specification Principle” except (a) with the individual’s
consent or (b) with the authority of law.
5. The Security Safeguards Principle:
The principle
states that personal data should be protected by
reasonable security safeguards against such risks as
loss, misuse, unauthorized access or disclosure, and
modification.
6. The Openness Principle:
This principle states that
there should be a general policy of openness about
development, practices, and policies with respect
to personal data. This principle further states that
means should be readily available for establishing
the existence and nature of personal data, the purpose
of its use, and the identity and location of the
data controller. [This principle and the two following
clearly imply that there should be a designated “data
controller.”]
The Individual Participation Principle
7. : This principle
states that an individual should have certain
rights with respect to his/her personal data, includ-
Version 2 – Summer 2008

Biometric Technology Application Manual Section 7 69
ing (a) the right to receive confirmation from the
data controller as to whether the data controller has
the individual’s personal information, (b) the right to
have data related to him/her communicated to him/
her within a reasonable time, in a reasonable matter,
in an intelligible form, and at a cost (if any) that is not
excessive, (c) the right to be given the reason for any
denial of any such requests, and (d) the right to seek
corrections to his/her personal data.
8. The Accountability Principle:
This principle states
that the data controller should be accountable for
complying with measures that give effect to the
above principles. [This principle implies there should
be such accountability and data control measures in
place, e.g., in the form of a protocol.]
Because of OECD’s unique role in the global community,
it is an excellent outlet for discussing biometrics and the
ensuing privacy concerns. Indeed, this is why the OECD
Guidelines on the Protection of Privacy and Transborder
Flows of Personal Data (1980) are invaluable to any discussion
of data privacy, nearly 30 years after their adoption.
Although the privacy protections contained in the
document may be outdated, the underlying themes are
still being discussed by OECD countries and non-members
through working groups. This is an encouraging
step toward a more universal definition of privacy, which
will greatly benefit the biometric community by clearly
defining the rules of operation and providing direction
for storage of personal or sensitive data.
Version 2 – Summer 2008

Section 7 70 Biometric Social and Cultural Implications
International Biometric Industry Association
(IBIA) 165
The IBIA adopted and promulgates through its membership
four principles dealing with biometrics and privacy.
These are:
1.
2.
3.
4.
165 www.ibia.org
Biometric data is electronic code that is separate and
distinct from personal information and provides an
effective, secure barrier against unauthorized access
to personal information. Beyond this inherent protection,
IBIA recommends safeguards to ensure that
biometric data is not misused to compromise any information,
or released without personal consent or
the authority of law.
In the private sector, IBIA advocates the development
of policies that clearly set forth how biometric data
will be collected, stored, accessed, and used, and
that preserve the rights of individuals to limit the
distribution of the data beyond the stated purposes.
In the public sector, IBIA believes that clear legal
standards should be developed to carefully define
and limit the conditions under which agencies of national
security and law enforcement may acquire, access,
store, and use biometric data.
In both the public and private sectors, IBIA advocates
the adoption of appropriate managerial and technical
controls to protect the confidentiality and integrity
of databases containing biometric data.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 7 71
Anti-Abuse Policy
Whatever combination of principles for protection are ultimately
established, it is also clear that there should be
accountability for safeguarding both biometric data and
the data directly related to personal information, and required
compliance with protocols and policies. Penalties
should be imposed for non-compliance. Penalties already
exist for related violations, such as for theft of personal
information or theft of information on a computer
(i.e., the Computer Fraud and Abuse Act).
In most cases, the existing penalties are imposed on the
person stealing the information. However, imposing penalties
on the keeper of biometric data and personal information
is essential to help guard against abuse and provide
comfort to participants. Such a structure would not
be the first time the law imposed penalties on the keeper
of personal information. For example, the Health Insurance
Portability and Accountability Act (HIPAA) places a
burden on the keeper of health information to maintain
adequate security measures to protect such information
from theft or misuse and imposes penalties for non-compliance.
The penalties on the keeper of biometric information
may, therefore, be somewhat analogous to the HIPAA
security requirements. The penalties, ranging from fines
to imprisonment, should vary depending on the severity
and intent. For example, an inadvertent act or failure
to act that resulted in a system vulnerability without any
actual harm, would warrant a fine as a deterrent for future
negligence. Whereas a deliberate dissemination of
personal information for private gain or other malicious
motive would warrant a much steeper penalty, such as
higher fines and possibly even imprisonment. Repeat of-
Version 2 – Summer 2008

Section 7 72 Biometric Social and Cultural Implications
fenders should also be subject to stricter penalties. There
should also be minimum and/or maximum fines and prison
terms to allow judges discretion in sentencing.
Summary
This section provides many different lists and recommendations
regarding usage of biometrics for attaining
a reasonable level of privacy at the same time. They
have been presented in the form they were developed
by others to allow a broader perspective on the issue,
and avoid yet another list sponsored by this publication.
The time has come to seriously consider public policy on
penalties for abuse.
The enabling tool of biometric technology and the passion
for personal privacy that exists in many individuals
and in some societies as a whole are inextricably linked.
It could not be otherwise when the primary function of
that enabling tool is the most accurate capability for identification
or personal recognition yet conceived. We can
fight the onslaught of the technology in a painful, costly,
and ultimately futile attempt to limit its use, or work for a
constructive usage that limits the technical and administrative
potential for abuse and maximizes the benefits to
privacy it offers. The latter is the only rational course.
Section 7, Part III: Societal Issues—User
Acceptance Considerations
The overall success of a biometric system depends, ultimately,
on whether or not people will use it and if they
will use it correctly. To increase the chances that users
Version 2 – Summer 2008

Biometric Technology Application Manual Section 7 73
will accept any biometric-based system and be willing
to cooperate with it, the user interface (usually with the
imager/reader) must be easy to use and the purpose for
the biometric system fully explained. If the system is too
difficult or inconvenient to use (for example, users have
to remove glasses, rings, or other items) or a low security
application is set too high (causing high false rejects) and
requiring repeated ID attempts by users, frustrations can
lead to increased error rates, user resistance, and loss of
confidence in the system. Additionally, if users perceive
a biometric technology as being too intrusive, their resistance
to using the technology may also adversely affect
system performance, and even lead to avoidance or
abuse.
Any biometric program must take into account those individuals
who cannot or will not participate in the program—whether
by choice or by circumstance. Some
people, through no fault of their own, cannot provide
the chosen biometric because their characteristics are
not measurable by the imager in use (for example; fingerprints
or irises). No matter the type of biometric feature
being measured, there will always be a small outlier
population of people who simply cannot be enrolled or
identified using that feature. Others, however, may actively
choose not to participate in the biometric system
because of their personal beliefs. While such persons
may comprise a very small fraction of the general user
population, they can be a vocal minority and create an
atmosphere of doubt about the system and the credibility
of its operation. Although such out-spoken criticisms
and perceptions of the system may not prevent eventual
full scale adoption and use of the biometric program, it
could lengthen the deployment cycle if these concerns
are not understood and addressed quickly.
Version 2 – Summer 2008

Section 7 74 Biometric Social and Cultural Implications
Some biometric devices also provoke concerns about
hygiene. For example, some people may object to hand
geometry scanners because they do not like to put their
palms on the same surfaces used by many others. It is
interesting that such perspectives do not readily appreciate
the relevance of other common usage such as
doorknobs. Other people may fear devices that scan
(and more properly, image) particularly sensitive areas of
the body, such as the eyes. Generally, if users perceive
that one biometric is less intrusive than another, they are
more likely to readily accept that product. The operative
word is “perceive.”
The Users’ Perspective
Historically, every technological innovation is met by
skepticism, cynicism, fear, and resistance to change;
usually in direct proportion to the threat of personal
intrusion it represents to the individual, as well as the
demands it makes on the level of cooperation required
to fully exploit its potential. There are few examples of
this technological impact stronger then a system that
intrudes on the matter of personal identity. Nevertheless,
the old axiom that “nothing is stronger than an
idea whose time has come” also applies to biometrics.
To avoid a collision of the new technology and the old
tradition, the industry is faced with an educational challenge
of considerable dimension. Before that education
can be useful, one must consider the scope and
nature of the concerns faced by biometrics, both real
and imagined.
It is important to try and understand the logical and
emotional response of the potential users of any
biometric-based identification system. Much of those
Version 2 – Summer 2008

Biometric Technology Application Manual Section 7 75
concerns are related to privacy and civil liberties issues
discussed earlier in this section. Not surprisingly, other
concerns emanate from a lack of knowledge about many
aspects of the technology. Does the user really understand
what biometrics are all about? How safe are they?
Are they uncomfortable with the idea of being identified
by a “body part?” How will users react to different biometric
technologies? Are there any cultural, religious, or
political biases? How will their personal biometric data
be used and by whom? Who will be allowed to have access
to that data? Will they be treated like a criminal if
they participate? Other concerns relate to how the biometric
templates or references will be stored and used,
and who will have access to them. There also may be
more general concerns expressed about biometric databases,
and if they will be placed in the custody of governments
or commercial enterprises.
More recently, the expanding problem of identity theft
raises new concerns and promises regarding the role of
biometrics. Will the technology make it easier or harder
for a victim to prove his/her true identity and resolve the
economic and emotional impact? Last, but not least, how
does the threat of international terrorism relate to the
use of biometrics as far as the individual is concerned?
Will this be just another delay at an airport, or a meaningful
way to distinguish the good guys from the bad or the
unknown?
All of these concerns require a response, regardless of
whether the question is based on fact or falsehood. The
FAQ list on every biometric community web site should
be focused on providing the right answers regarding the
accurate capabilities of the technology, as well as on the
limitations experienced in its use known to date. There is
significant empirical evidence that users will readily ac-
Version 2 – Summer 2008

Section 7 76 Biometric Social and Cultural Implications
cept the technology and are even excited by its innovation,
when they are adequately and accurately informed
as to its true characteristics.
Religious, Cultural, and Political/Philosophical
Concerns
Other criticisms of the use of biometrics originate on cultural,
religious, and/or political or philosophical grounds.
The population at large may not share such concerns,
but to the extent those who advocate for them have sincerely
held beliefs, they should not be ignored. 166 Other
cultural concerns may include objections to specific
types of technologies or their particular imagers. For example,
their may be cultural objections to facial or eye
photography or imaging, or the imaging of fingerprints,
or any contact with the body.
In the political or philosophical spectrum, the range (if
not the volume) of opposition can be quite broad. Individuals
and groups on both the Left and the Right see
threats to firmly held beliefs from any identification system
that may evolve into wide-ranging usage. National
ID systems are a particularly sensitive issue in this respect,
and originate in part from the 20th Century experience
of abuse of personal identification at the national
level by totalitarian regimes. These are not trivial concerns
and a legitimate interest in promoting the benefits
of biometrics should not dismiss them lightly. On the
contrary, it would be better to focus on design goals and
protective devices that prevent the potential for abuse
that gives rise to such concerns.
166 From Biometrics: Identity Assurance in the Information Age. John D.
Woodward. McGraw-Hill. 2003. Pg. 209. Used with permission.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 7 77
Educating Users
It is important that biometric system users be educated
appropriately (as to system use, functionality, and the reasons
for its use), have good quality enrollment references,
and be generally pleased or at least satisfied with the
overall system concept and its benefits to them and/or
their organization. The purpose of such education should
not be political orientation, but rather a fully factual exposure
to the technology and its utility. If, after receiving
such education, they elect to not participate (in an opt-in
environment), or only participate on a reluctant basis because
it involves a mandatory program within their organization,
that is, of course, their privilege. Advocacy has
its place in the development of any new technology and
many will take up (or oppose) that cause. Generally however,
advocacy should be distinct from a factual educational
program.
Since most public concern about biometrics arises from
fears that the technology can be misused to invade or
violate personal privacy, the principles, prohibitions, and
anti-abuse measures discussed in detail in this section
should be part of any serious education or training program
in biometrics.
Educating biometric system users includes training,
comprehension of expectations for, and limitations of, the
technology and its devices; and include documentation
regarding the system and its performance requirements.
Such documentation includes, but is not limited to:
•
•
A user’s manual
Policies governing the use of the technology
Version 2 – Summer 2008

Section 7 78 Biometric Social and Cultural Implications
•
•
Policies governing the use of biometric references
Policies on storage of all personal data and restrictions
on its use
Manuals should be short, simple, and to the point. The
acceptance rate of the users will have greater success if
they feel confident and secure in their knowledge about
the biometric-based system.
User orientation at enrollment or first exposure to the
system is essential to reaching a comfort level for normal
operations. Walkthroughs and trial-runs will help
increase that comfort level and avoid initial concerns
and personal embarrassment if rejections or failures occur.
Such simulations will also help decrease the error
rates by illustrating the system’s performance or window
when the user enters the transaction process. Such first
encounters of operational systems should always be in
the company of an experienced user or administrative
staff.
Summary
There is significant empirical evidence gained from a
number of public, commercially based biometric pilot
programs during the last 10 years that most users are
not only comfortable but even intrigued by the way
biometrics work. Ultimately, this will almost certainly be
the mainstream experience as usage expands. The biometric
community should act accordingly in construc-
Version 2 – Summer 2008

Biometric Technology Application Manual Section 7 79
tion of both public and private educational programs in
the technology and its applications.
As always, critics will continue to warn against the use
and abuse of biometrics and when constructive, such
criticism should be carefully considered to improve the
human interface and reduce, where possible, any threat
the technology represents to an individual. In the final
analysis, however, the compelling value biometrics represent
to society will gain and hold widespread acceptance.
As summarized by sociologist Amitai Etzioni: 167
Reliable identifiers could replace the existing patchwork
of passwords that are often forgotten, lost, or
misappropriated. The same identifiers could be used
to ensure that one’s vote is not forged, that one’s credit
card is not misused, that one’s checks are not cashed by
others . . . In short, reliable universal identifiers – especially
biometric ones – could go a long way toward ensuring
that people are secure in their identity, thereby
allowing others to trust that they are who they claim
to be.
167 From Army Biometric Applications: Identifying and Addressing Sociocultural
Concerns. Chapter 3. RAND 2001. Used with permission.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 8 1
Section 8: Trends and Implications
Recording biological features for identification purposes
had its origin in China in the 14th Century. Until recently,
however, using any of these systems were quite labor intensive
requiring manual measurements and tracing of
body parts.
Modern biometric technology traces its roots to the
1930s, when serious research was conducted on using
biometrics to accurately identify individuals for criminal
purposes. Forensic examination, principally based on
fingerprint analysis, benefited by extensive government
funding and resulted in the creation of an effective, highly
automated mainframe-based system of identification
by the 1970s.
Progress in other areas of identification technology, many
related to finding commercial applications for biometrics,
coincided with the advent of microprocessors and personal
computers in the 1980s. This arm of research eventually
led to the establishment of five core technologies
that form the basis for the vast majority of commercial,
off-the-shelf biometric applications. These include:
•
•
•
Fingerprints: Using various sensors to capture the
surface or sub-dermal image of a live fingerprint
Hand-geometry: Measuring the length of the fingers
and their relationship to each other
Iris Recognition: Using a video camera to acquire a
detailed image of the color patterns inherent in the
eye’s iris
Version 2 – Summer 2008

Section 8 2 Trends and Implications
•
•
Facial Recognition: Using a camera to collect an image
that is analyzed through the use of various types
of two-and three-dimension processing
Voice Recognition: Analyzing the unique audio “signature”
of a person’s voice
The common thread through all of these technologies
is the speed of image acquisition and information processing
provided by modern computers, aided by the
advance of signal processing and PC-based statistical
techniques not feasible in earlier, manual processes.
Trends
Despite the prominence of the principal biometric technologies
noted above, several trends are worth noting
that will continue to expand the uses for, and accuracy
of, biometrics for a wide range of commercial and government
uses. These include:
•
•
•
•
Experimenting with new biometrics that may be
used alone or in conjunction with other biometrics
to improve identity under unique or challenging
conditions
Improving the core technologies that make them
more accurate and more useful to the community of
end users
Reducing the price of biometrics by developing lowcost
sensors and efficient, plug-and-play solutions
Combining more than one biometric into “fused” or
multi-modal applications to improve accuracy
Version 2 – Summer 2008

Biometric Technology Application Manual Section 8 3
•
Developing new approaches that address privacy
concerns and in turn expand the use of biometrics to
reduce the costs of identity fraud.
New Biometrics
There are a number of new biometrics that are at some
stage of product development and have either received
media attention or have been singled out by the biometric
community for their ongoing significance (refer to
Section 3). The nature of biometric research means that
any list, such as it appears here, is unlikely to be all-inclusive;
other technologies are certain to emerge in the near
future. Some of these will develop as viable competitors,
while others will no doubt fade from sight as impractical,
ill-founded, or too expensive. It is the purpose of this
section to review the current trends in biometrics and to
draw some implications from these trends.
DNA
• : DNA has established itself as a widely accepted
personal identifier and, like fingerprint analysis, is often
used in court to substantiate various claims or to
discredit others. As a biometric identifier, however,
in the sense of iris, voice, hand-geometry, and facial
recognition, DNA recognition is presently confronted
with two key challenges: collection and processing
issues. Present technology is not capable of obtaining
a DNA sample, processing it, and reporting results
fast enough to be useful as part of an access control
system where relatively high-speed throughput is
required. Also, since DNA can be used to identify a
large number of genetic predispositions for various
diseases and limitations, privacy issues are numerous
and not easily addressed. One company, however, is
using plant DNA embedded in books and other pa-
Version 2 – Summer 2008

Section 8 4 Trends and Implications
per products to verify ownership.
• Fingernail Patterns:
As fingernails grow, they leave
grooves or ridges on the nail bed that can be imaged
in infrared light. At least one company is attempting
to develop products to exploit this phenomenon.
• Gait Recognition:
The challenge to counter-terrorist
professionals is how to capture biometric features
without the subject being aware of the collection effort,
and then use this information for subsequent application.
Toward this end, there is ongoing research
being conducted into how people can be identified
by their gait as they walk.
• Olfactory Recognition (Odor Analysis) : Some scientists
suggest that a person’s body odor is sufficiently
unique as to be usable as a biometric reference.
• Retina:
At a recent biometric conference, a new company
appeared as an exhibitor with a fresh approach
to retina imaging that enables the process to occur
at six-12 inches, or greater, between the imager and
the subject using conventional, unfocused light, providing
distinct improvements over an older retinal
product and overcoming key points in customer resistance.
If successful, this method could overcome
user objections to the technology that earlier prevented
its general acceptance in the marketplace.
• Skin Biometrics:
Work has been done to use the arrangement
of sweat pores on a person’s hands as a
biometric identifier.
Vein Patterns
• : Several companies have recently discussed
biometric recognition using the patterns of
Version 2 – Summer 2008

Biometric Technology Application Manual Section 8 5
veins in the palm and back of the hand. Fujitsu, for
example, claims to have completed at least two sales
to major client for their technology.
There are at least three key challenges facing these and
other new biometric technologies that seek marketplace
acceptance: persistence, scientific basis, and richness of
data.
1. Persistence.
Persistence refers to the durability of a
biometric over time to resist change due to aging,
illness, or injury. Characteristics that change significantly
within a month or so would require constant
re-enrollment and would introduce potential for
various types of errors. Even mainstream biometrics
must continue to deal with these issues through constant
refinement of their processing algorithms.
2. Scientific Basis.
It is not sufficient that something
seems to work without a clear understanding of why
it works. There must be a solid scientific explanation
for how the appearance of a physical feature
supports its use for identification. Companies have
been known to spend four, five, six, or more years in
pure research and development to fully establish the
science behind the advancement.
Richness of Data Points
3. . Tied closely to the scientific
basis description, is a requirement that there be a sufficient
richness of data to accept these features and
be randomly distributed for unique identification.
Clear evidence that the quality of “uniqueness” exists
is essential. The more data points there are, the more
effective the algorithms will be in creating, searching
for, and verifying the biometric template.
Version 2 – Summer 2008

Section 8 6 Trends and Implications
Improved Technology
The computer revolutionized biometrics. Imaging or
capturing and processing fine details of fingerprints, irises,
and voice waveforms were simply not cost-effective
or practical prior to the personal computer. Between
the early 1940s and the late 1970s, existing computers—
mainly mainframes—could conceivably perform many
of the computational tasks, but it would have been impractical
to attempt. Also, during this period, there was
not a sufficient perception of the threat to drive that type
of application. This macro trend actually comprises several
trends.
• Cost of Processing:
Personal computers require little
space and are affordable by most. While “Moore’s
Law” produced ever-faster processing speeds, prices
dropped to the point where cost was no longer a
barrier to research. Under such circumstances many
scientists and engineers can now develop and improve
their own information processing techniques
and algorithms in the comfort of their homes or personal
workshops, thus lowering the cost of entry for
innovative, but cash-strapped entrepreneurs.
The same phenomenon applies to pre-programmed
and programmable microprocessors that are at the
core of many biometric devices. Continuing advances
in circuit fabrication, which in turn enable significant
improvements in processing power, are being
packaged in smaller, cheaper units that speed up the
development of market-ready components.
Memory
• : Likewise, the capacity of computer processing
units (CPUs) and memory devices has increased
and prices have plummeted even more dra-
Version 2 – Summer 2008

Biometric Technology Application Manual Section 8 7
matically. With each incremental increase in capacity
(and drop in price), the time required to process information
from a biometric device and make a useful
and reliable decision is shortened.
• Databases:
With memory expansion and improved
32- and 64-bit processing, creating and searching
massive databases has become feasible. Millions of
records can be examined in less than a second, enabling
manufacturers to devise and deploy biometric
systems on a global basis.
•
•
Algorithms: Every biometric technology relies on
proprietary and sophisticated algorithms that can
convert an image into a useful means of establishing
a template that can be used to create, store, and retrieve
a biometric record. Ongoing development has
made such algorithms extremely efficient at searching
large scale databases in short amounts of time, or
at combining multiple biometrics into a unique “signature”
that helps to narrow down the task of verifying
identity.
Biometrics at a distance: This topic, of enormous interest
to the defense and homeland security communities,
is targeted at the acquisition of biometric identity
without the knowledge of the individual. Some
of this research combines powerful cameras with
complex algorithms to produce high quality face images,
iris images, and gait signatures that may create
a useful picture of the person at interest. While the
results of this research are inconclusive to date, the
commercial applications are potentially significant:
better iris recognition capabilities that are derived
from the ability to capture the image at a distance
without the active participation of the user could
Version 2 – Summer 2008

Section 8 8 Trends and Implications
•
streamline access control processes and provide a
higher level of identity assurance.
Nanotechnology: This is another trend that has fired
an imaginations. The trend toward miniaturization
and micro-miniaturization has a twofold impact on
biometrics. First, it has enabled biometric devices
and systems to shrink from something the size of a
toaster to a device smaller than a fingernail. Second,
it facilitates the exploration and use of human features
not presently amendable for use as a biometric
identifier. For example, does a nano-scale device in
the blood stream provide a necessary interface with
external technology to enable the collection and
pre-processing of DNA? Such issues are speculative
at the present time regarding the biometric applications
of nanotechnology, but it is an area that is
bound to lead to improvements in biometric identity
applications.
Falling System and Application Prices
Biometric systems that only recently cost U. S.
$2,000–$5,000 per portal are now becoming available
for a fraction of that cost. Meanwhile, prices for central
processing or the “head-end system” are also falling.
A factor driving the cost of biometric technology is the
need for the innovating companies to recoup their nonrecurring
engineering and product design costs within a
reasonable period of time. Because the original products
were so expensive, the demand for them was limited to
a few very high-security installations. The small number
of sales forced the manufacturers to price their products
high enough to recover their expenses.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 8 9
With the exception of unique high-end products ( a thermal
imaging biometric that requires liquid nitrogencooled
cameras costs well over U. S. $15,000), almost every
biometric system on the market today is comprised of
components costing just a few dollars. Even the software
comes on a CD that, in quantity, costs U. S. $0.10 or less.
The difference between the cost of packaging and assembling
these components and the street price asked is an
amount intended to cover the original development cost
and profit. While the profit component remains, the perceived
need to recover the development cost on few sales
is softening and manufacturers are beginning to realize
that the demand for biometric technology is far more
extensive than earlier thought. Volume sales from lower
prices are now resulting in a quicker recovery of investment
capital as more end users are able to afford to make
biometrics a part of their security solution.
Combined Biometrics
In recent years, there has been a trend toward combining
two or more biometrics to improve the performance of a
system that would otherwise rely on a single, stand alone
biometric. This makes sense, especially for what could
be termed as “low power” biometrics, that is, devices that
have fairly high error rates. If two dissimilar technologies
(e.g., face recognition and fingerprints, iris and voice recognition)
are combined, then the “fused” result should
collectively show some improvement in performance.
Dr. John Daugman, however, has written a seminal paper
168 on the subject of combining biometrics. The docu-
168 Combining Multiple Biometrics. John Daugman, The Computer Labo-
ratory, Cambridge University, UK.
Version 2 – Summer 2008

Section 8 10 Trends and Implications
ment points out that such an improvement, while realized
on one hand, comes at a performance price on the
other hand that may obviate any new value of the combination.
Depending on the intended use and the security
threshold that is required, it may be better to buy
one more expensive biometric system that has a superior
performance profile to the fused or multi-modal solution.
Certainly, when contemplating the combination
of two highly accurate biometrics, such as an advanced
fingerprint system and iris recognition, any gains or improvements
resulting from the combination of the two
are likely to be only statistical advancements at best, with
operational differences that are not likely to be observed
or useful in anything other than the most demanding security
environments. Even in such cases, the difference
may only be measurable in a system involving tens of
millions of transactions annually.
Privacy Issues
During the first years of the current era of biometric
technology - that is, since 1980 - the focus of
entrepreneurial attention was simply on getting the
product to work. Also during this period, biometrics
as a field, was still an arcane discipline. With overall
improvements and the innovation of newer biometric
products, there is an increasing sense of public
awareness of biometrics. This, in turn, has prompted a
burgeoning concern about the use of the technology in
relation to privacy matters, and how each new biometric
technology or application may further erode personal
privacy. Such concerns extend development time
and costs, and, in some instances, impose additional
recurring costs to produce devices that help address the
issues of privacy and public acceptance.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 8 11
This situation creates both a real and perceptive barrier
to the wide-scale adoption of biometrics to solve such
entrenched problems as identity fraud. Identity theft
is causing the financial, healthcare and social services
sectors well over $100 billion per year, but end-users are
reluctant to counteract the problem through the use of
biometrics until privacy issues are fully sorted out.
A major development that shows promise for resolving
this standoff is Anonymous Recognition ® (AR). AR, an
initiative by the NBSP, permanently separates personal
information from biometric data by creating a personal
reference code. AR, needing only this code to confirm if
the identity is legitimate, can inform the inquiring entity
of the match or non-match without knowing anything
about the enrolled user. In practice this could mean
that biometric identification would not continue to be
stovepiped within a single application, organization, or
even sector.
Implications
All of these trends, collectively and separately, bode well
for the biometric industry. The current portfolio of five
to six leading biometrics are becoming commonplace
and generally well-accepted by the public. While fingerprints
have been used successfully for decades and have
found a high level of acceptance in forensic circles, the
other biometrics are gaining respectability and support
among a diverse group of end-users. The portfolio of
newer biometric technologies is rich with ideas and creativity
that, combined with the other trends in computer
technology and processing, are likely to result in other viable
biometrics. For all of these, the price trends toward
more affordable biometric technology will contribute to
Version 2 – Summer 2008

Section 8 12 Trends and Implications
the adoption and proliferation of biometrics throughout
society. Although troublesome to some members of the
community, the persistent scrutiny by privacy advocates
will also tend to produce more efficient biometric systems
and application policies that emphasize collection
and use of minimal information for effective function,
while rigorously safeguarding anything that could be
construed as personal information.
New Biometrics
The human body continues to show rich potential for
new biometric devices. As the capability to image smaller
pieces of anatomy is continually refined, along with
the ability to make sense out of a seeming jumble of data,
new and effective biometric tools are likely to emerge.
The challenge to innovators in this area is whether the
new biometric really represents an advancement in performance
over established technology, or is merely an
attempt to exploit the “gee whiz” factor.
Improved Technology
The single most significant trend in biometrics is the ongoing
improvements in computer technology. Machines
the size of a deck of cards can now perform computational
magic in seconds that 50 years ago would have required
a room full of equipment and days, if not weeks,
to process. Surface-mount circuit fabrication and other
manufacturing processes enable creation of biometric
products that can be integrated into virtually any other
system.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 8 13
Improved Processing
As products move from the prototype phase into routine
production, the software that performs the essential
identification protocols is optimized and refined with corresponding
advances in processing speed and decisionmaking.
Combined with the newer 32- and 64-bit CPUs,
optimized software applications leap forward by orders
of magnitude in the time to perform necessary functions
and calculations. Another result of the improved
processing algorithms and technology is significant improvement
in error rates. Better image collection leads
to a sharp reduction in the Failure to Acquire error rate,
as well as improved False Reject and False Accept error
rates. Improved error rates, in turn, lead to greater customer
satisfaction.
Miniaturization
New manufacturing techniques and investments in
nano-technology contribute significantly to improved
processing speeds and image capture, as well as new
product innovations. Imagine a facial recognition system
built into the frame of a pair of glasses with the identification
information being fed to and imaged on one of the
lenses or whispered into the ear of the wearer. The only
limiting factor seems to be the irreducible size and shape
of the human body, where the miniaturization of some
components, such as a fingerprint platen, must stop at
the size of a thumbprint. There are fingerprint recognition
systems on the market today completely encased in
a package the size of a key fob or appear only as a tiny,
2cm wide slot on a laptop keyboard. Only the size of the
fingerprint platen and the battery are needed to power
it.
Version 2 – Summer 2008

Section 8 14 Trends and Implications
Prices
Lower prices will serve to make biometric products
more ubiquitous and help gain universal acceptance.
In the past, biometric products were generally limited
to high-security installations not because they were too
exotic for common use but because they were too expensive
to justify for simpler applications. As the cost of
biometric technology falls, this obstacle will disappear.
Use of a biometric to open a garage door rather than
an opener/transmitter with a random number generator
inside made no economic sense a year ago. Now, consumers
can purchase a biometrically based transmitter
that performs the same function but with much greater
security for virtually the same price.
Combined Biometrics
In principle, the combination of two more inexpensive
but low power biometrics could result in an affordable
biometric system with at least moderate power and utility.
As more powerful biometrics fall in price, however,
they become more cost-competitive with the combined
biometric solutions, thus neutralizing any benefit one
might have obtained from the combined system. Such
fused or multi-modal biometrics might have obtained
from the combined system. Such fused or multi-modal
biometrics may have applications in which marginally
reliable data are combined into a single representation
that may be of use for low-security or biometrics-at-adistance
purposes.
Version 2 – Summer 2008

Biometric Technology Application Manual Section 8 15
Privacy Issues
As biometrics move into the mainstram of securityrelated
technology, questions about the preservation
of privacy have continued to affect the scope in which
biometric solutions are deployed. Each new biometric
or advancement in a current product can expect to address
questions about the benefits of a product against
privacy concerns. Specifically, how that product can, in
theory and practice, track and report the movements
of individuals. In the past, these issues were raised by
independent privacy advocates who were predisposed
to opposing the introduction of biometric technology.
While this group remains vocal in their skepticism about
biomertrics, the institution has been formalized by the
creation of national level privacy commissions and regulatroy
structures that weigh the benefits of the technology
against the potential for misuse.
This issue may ultimately reduce to two questions: does
the information transmitted from the biomtric device
contain personal information (e.g., state of health, illnesses,
financial data, etc.), and/or does the use of that technology,
even absent any personal information in the signal
itself represent a compromise of personal space and
privacy? As for the first question, this will be answered
on a case-by-case, device-by-device basis. The second
question, while still an ongoing subject of debate, shows
promise resolved by the adoption of solutions such as
Anonymous Recognition ® . A more indepth discussion
of Privacy Issues relating to biometrics is found earlier in
Section 7.
Version 2 – Summer 2008

Section 8 16 Trends and Implications
Summary
Simply put, biometrics have become smaller, quicker,
cheaper, more accurate, and more versatile. Devices are
now intuitive to use, requiring less active cooperation by
the user. The integration of biometric devices into familiar
and common appliance tools and into home security
applications, such as door locks, is increasing. At the
same time, reliability and operational stability in all environments
have improved dramatically. The last barrier
to growth - privacy - is being addressed by the industry
in the form of new approaches that isolate personal data
from biometric information.
Version 2 – Summer 2008

Biometric Technology Application Manual Volume 1 1
Bibliography and References
In researching and compiling the BTAM, the authors
relied heavily on secondary research from alreadypublished,
public sources. The following sources and
resources represent works from which information and
knowledge was used and referenced, and for which the
authors are acknowledged and thanked for sharing this
knowledge.
1.
2.
3.
4.
5.
6.
An Application of Biometric Technology: Retinal Recognition.
Series #3. Ravi Das, HTG Solutions.
ANSI Homeland Security Standards Panel Biometric
Workshop Report. April 2004.
Army Biometric Applications: Identifying and Addressing
Sociocultural Concerns. John D. Woodward,
Katharine W. Webb, Elaine M. Newton, Melissa Bradley,
David Rubenson. RAND 2001.
Best Practices for Privacy-Sympathetic Biometric Deployment.
International Biometric Group; IBG BioPrivacy
Initiative. www.biometricgroup.com
Best Practices in Testing and Reporting Performance
of Biometric Devices. Version 1.0. Biometrics Working
Group. January 12, 2000.
Best Practices in Testing and Reporting Performance
of Biometric Devices. Version 2.01. Biometrics Working
Group. Mansfield and Wayman. August 2002.
BioAPI Specification Version 1.1
7. . The BioAPI Consortium.
March 16, 2001.
Version 2 – Summer 2008

Volume 1 2 Bibliography and References
8.
Biometric Applications: Legal and Societal Considerations.
National Biometric Test Center. San Jose State
University. Adapted from a presentation by Dr. Kenneth
P. Nuger of SJSU Political Science Department.
9. Biometric Basics presentation. U.S. Department of
Defense Biometrics; DoD Biometrics Management
Office; DoD Biometrics Fusion Center. June 2004.
10. Biometric Identification.
Simo Huopio, Department
of Computer Science, Helsinki University of Technology.
November 27, 1998.
11. Biometric Identity Management in Large-Scale Enterprises
white paper. Daon. October 2002.
12. Biometric Principles, Applications, Opportunities,
and Issues presentation. Dr. Craig Arndt, Mitretek
Systems. 2004.
13. Biometric Product Testing Final Report. Centre for
Mathematics and Scientific Computing (CESG). Tony
Mansfield; Gavin Kelly; David Chandler; Jan Kane.
March 2001.
14. Biometric Scanning, Law & Policy: Identifying the
Concerns – Drafting the Biometric Blueprint. John D.
Woodward. University of Pittsburgh Law Review. Fall
1997.
15. Biometric Systems: Technology, Design and Performance
Evaluation. James Wayman; Anil Jain; Davide
Maltoni; and Dario Maio. Springer-Verlag. 2005.
Biometric Technologies.
16. Cynthia Traeger and Howard
Falk (doc id 00016761). Faulkner Information
Version 2 – Summer 2008

Biometric Technology Application Manual Volume 1 3
Services (www.faulkner.com), a division of Information
Today (www.infotoday.com).
17. Biometric Technology Testing, Evaluation, and Results.
James L. Wayman. National Biometric Test Center.
San Jose State University.
18. Biometric Technology: Security, Legal, and Policy
Implications. Legal Memorandum #12. Paul Rosenzweig,
Alane Kochems, and Ari Schwartz. The Heritage
Foundation. June 2004.
19. Biometric Terminology Glossary.
www.findbiometrics.com
20. Biometric Testing. Presentation by Valorie S. Valencia,
Ph.D., CEO of Authenti-Corp.
21. Biometric Testing: It’s not as Easy as you Think. Valorie
S. Valencia, Ph.D. Biometric Consortium Annual
Conference. September 2003.
22. Biometric Testing Report. Biometrics for National
Security (BiNS). National Biometric Security Project
(NBSP) July-August 2004.
23. A Biometric White Paper.
Julian Ashbourn. 1999.
24. Biometrics 101: The Basics.
www.findbiometrics.com
25. Biometrics 2004 Delegate Manual. Tony Mansfield,
Principle Research Scientist, National Physical Laboratory,
U.K.
26.
Biometrics: A Grand Challenge. Proceedings of In-
Version 2 – Summer 2008

Volume 1 4 Bibliography and References
ternational Conference on Pattern Recognition. Anil
Jain; Sharath Pankanti; Lin Hong; Arun Ross; James
Wayman. August 2004.
27. Biometrics: A Look at Facial Recognition. John D.
Woodward; Christopher Horn; Julius Gatune; and
Aryn Thomas. Prepared for the Virginia State Crime
Commission. RAND Public Safety and Justice. 2003.
28. Biometrics: A Technical Primer. Elaine M. Newton
with John D. Woodward.
29. Biometrics: A Unique Authentication Approach presentation.
David Zhang. Biometrics Research Centre,
The Hong Kong Polytechnic University. August 31,
2004.
30. Biometrics and the Threat to Civil Liberties. IEEE
Computer magazine. April 2004.
31. Biometrics: Personal Identification in a Networked Society.
A. Jain; R. Bolle; S. Pankanti. Kluwer Academic
Publishers, 1999.
32. Biometrics As Privacy-Enhancing Technology: Friend
or Foe of Privacy? Dr. George Tomko. 1998.
33. Biometrics: Identity Assurance in the Information Age.
John D. Woodward; Nicholas M. Orlans; Peter T. Higgins.
McGraw Hill-Osborne. 2003.
34. Biometrics Now and Then: The development of
biometrics over the last 40 years, Biometrics in the Re-
Version 2 – Summer 2008

Biometric Technology Application Manual Volume 1 5
flection of Requirements. James L. Wayman. 2004.
35. Biometrics Performance Testing and Reporting – Part
1: Principles and Framework. ANSI ISO/IEC JTC 1/
SC37 Biometrics. January 21, 2005.
36. Biometrics: Personal Identification in a Networked Society.
Anil Jain; Ruud Bolle; Sharath Pankanti. Kluwer
Academic Publishers. 1999.
37. Biometrics Unproven, Hard to Test. Ann Harrison.
SecurityFocus. August 7, 2002.
38. Choosing a Biometric Solution.
www.findbiometrics.com
39. Classification and Indexing in Large Biometric Databases.
Srinivas Palla; Sharat S. Chikkerur; Venu Govindaraju;
Pavan K. Rudravaram. Center for Unified
Biometrics and Sensors, University of Buffalo, New
York.
40. Combining Multiple Biometrics. Dr. John Daugman,
The Computer Laboratory, Cambridge University,
UK.
41. Ear Biometrics for Machine Vision. M. Burge and W.
Burger. Johannes Kepler University Department of
Systems Science.
42. Exploring Identity Management: Selecting Identity
Management Tools. A white paper prepared for IBM
Version 2 – Summer 2008

Volume 1 6 Bibliography and References
Tivoli Software by Enterprise Management Associates.
September 2003.
43. Face Recognition Vendor Test 2002 – Evaluation Report
March 2003. DARPA, NIST, Dept. of Defense,
Counterdrug Technology Development Program Office,
and NAVSEA Crane Division.
44. Facial Recognition Biometrics: Applying New Concepts
on Performance Improvement and Quality Assessment.
Babak Goudarzi Pour and Marcus Zackrisson.
May 2003.
45. Facial Scan Technology: How it Works.
www.facial-scan.com
46. Fingerprint Identification. Salil Prabhakar, Anil Jain.
Biometrics at Michigan State University.
47. Fingerprint Matching Using Minutiae and Texture
Features. Proceedings of the International Conference
on Image Processing (ICIP), Greece. Anil Jain,
Arun Ross, Salil Prabhakar. October 2001.
48. Fingerprint Vendor Technology Evaluation 2003 –
Analysis Report (FpVTE 2003). Charles Wilson, R.
Austin Hicklin, Harold Korves, Bradford Ulery, Melissa
Zoepfl, Mike Bone, Patrick Grother, Ross Michaels,
Steve Otto, and Craig Watson. NIST, Mitretek, and
NAVSEA Crane Division.
49. Foreign Laws Affecting Data Processing and Transborder
Data Flows. Paul H. Silhan.
50. Framework for Evaluating and Deploying Biometrics
in Air Travel Applications: Surveillance, Trusted Trav-
Version 2 – Summer 2008

Biometric Technology Application Manual Volume 1 7
el, Access Control. International Biometric Group.
April 3, 2002.
51. Fundamentals of Biometric Authentication
Technologies. James L. Wayman. National Biometric
Test Center.
52. The Future of 3D Facial Recognition. David Tunnell,
European Transport Infrastructure.
53. Gray’s Anatomy: The Anatomical Basis of Medicine
and Surgery, 39th Edition. Elsevier Health Sciences
Division.
54. Information Management: Selected Agencies’ Handling
of Personal Information. U.S. General Accounting
Office. (GAO-02-1058) September 2002.
55. International Biometric Testing Initiatives
presentation. James L. Wayman. San Jose State
University.
56. An Introduction to Biometric Recognition. Anil Jain,
Arun Ross, and Salil Prabhakar. IEEE Transactions on
Circuits and Systems for Video Technology. January
2004.
57. Introduction to Dataveillance and Information Privacy.
Roger Clarke.
58. An Introduction to Evaluating Biometric Systems.
P.
Jonathon Phillips, Alvin Martin, C.L. Wilson, Mark
Przybocki. IEEE Computer magazine. 2000.
59.
Knowing Me, Knowing You: Biometrics, the Security
Version 2 – Summer 2008

Volume 1 8 Bibliography and References
Industry, and the Law. Nick Mallet, Martineau Johnson.
November 2004.
www.martineau-johnson.co.uk
60. Multimodal Biometric Authentication Methods: A
COTS Approach. M. Indovina, U. Uludag, R. Snelick,
A. Mink, A. Jain. NIST and Michigan State University.
61. National Biometric Test Center Collected Works.
1997-2000. Version 1.2 James L. Wayman. San Jose
State University. August 2000.
62. NIST Biometric Standards Program presentation. Michael
D. Hogan, Fernando Podio. September 2004.
63. Overview of the OECD: What is it? History? Who does
what? Structure of the organization? Organization for
Economic Cooperation and Development.
64. Palmprint Recognition with PCA and ICA.
Tee Connie.
Multimedia University, Melaka, Malaysia.
65. Personal Identity Verification (PIV) of Federal Employees
and Contractors. FIPS PUB 201. NIST. February
25, 2005.
66. Personal Verification using Palmprint and Hand Geometry
Biometric. Kumar, Wong, Shen, and Jain.
2003.
67. Practical Biometrics: From Aspiration to Implementation.
Julian Ashbourn. Springer-Verlag. 2004.
68. A Practical Guide to Biometric Security Technology.
Simon Liu and Mark Silverman. IT Professional. IEEE
Computer Society. Jan-Feb 2001.
Version 2 – Summer 2008

Biometric Technology Application Manual Volume 1 9
69. Privacy and Biometrics: An Oxymoron or Time to Take
a Second Look? Ann Cavoukian. 1998.
70. Privacy Online: Fair Information Practices in the
Electronic Marketplace. Federal Trade Commission.
May 2000, p.iii.
71. The Pros and Cons of Using Biometric Systems in Business.
GartnerGroup. Clare Hirst. March 11, 2005.
72. Protocol for the Collection, Use, Dissemination, and
Storage of Biometric Data. National Biometric Security
Project (NBSP).
73. Putting Biometrics to the Test.
Michael Fenner. The
European Union Banking & Finance News Network.
2003.
74. Report on International Data Privacy Laws and Application
to the Use of Biometrics in the United States.
National Biometric Security Project (NBSP). December
17, 2004.
75. The Science and Technology of Biometrics and Managing
Human Identity abstract of presentation for
American Association for the Advancement of Science.
Homeland Security and Emerging Technology.
Joseph Attick; Identix, Inc. February 2005.
76. Security magazine. SpecXpress Biometrics. April 2004.
77. Slap Fingerprint Segmentation Evaluation 2004
(SlapSeg04) Analysis Report (NISTIR 7209). Bradford
Ulery, Austin Hicklin, Craig Watson, Michael Indovina,
and Kayee Kwong.
Version 2 – Summer 2008

Volume 1 10 Bibliography and References
78. Specifying Biometrics.
Julian Ashbourn. 1999.
79. State of Biometric Standards presentation to BiometriTech
Expo. Jeff Stapleton, KPMG. June 23-26,
2003.
80. Substance and Quality of Biometric Technology Training
Programs: An Assessment of Current Industry Capability
to Meet Infrastructure Needs. National Biometric
Security Project (NBSP). August 2004.
81. Summary of NIST Standards for Biometric Accuracy,
Tamper Resistance, and Interoperability. NIST. November
13, 2002.
82. A Survey of Synthetic Biometrics: Capabilities and
Benefits. Nicholas M. Orlans, Douglas J. Buettner, and
Joe Marques. The 2004 International Conference on
Artificial Intelligence.
83. Technical Testing and Evaluation of Biometric Identification
Devices. James L. Wayman. National Biometric
Test Center.
84. Technology Assessment: Using Biometrics for Border
Security. United States General Accounting Office
(GAO). GAO-03-174. November 2002.
85. U.S. Department of Defense Biometrics Standards Development
Recommended Approach. Biometrics Management
Office. September 2004.
86. The United States Constitution.
1791.
Version 2 – Summer 2008

Biometric Technology Application Manual Volume 1 11
87. United States Federal Laws Regarding Privacy and
Personal Data and Applications to Biometrics. National
Biometric Security Project (NBSP). August 5,
2004.
88. International Data Privacy Laws and Application to
the Use of Biometrics in the United States. National
Biometric Security Project (NBSP). First supplement,
July 17, 2008.
89. Using Biometrics. Julian Ashbourn. 1999.
90. Voice Verification Makes Big Strides, But Its Still Risky.
S. Cramoysan and B. Elliot. GartnerGroup Research
Note. January 31, 2005.
91. Voluntary Industry Standards and Their Relationship
to Government Programs. Licensing Programs Division
– Office of Commercial Space Transportation –
U.S. Department of Transportation. January 1993.
92. What Are Biometrics? www.findbiometrics.com
93. What Type of Fingerprints Do You Have? A Fingerprint
History. U.S.Department of Justice. U.S. Marshals
Service.
94. Workshop on Biometric Standards presentation. ANSI
Homeland Security Standards Panel. Fernando Podio.
NIST.
Version 2 – Summer 2008

Volume 1 12 Legal Cases Cited
Legal Cases Cited
1.
2.
3.
4.
5.
6.
7.
8.
9.
Breithraupt v. Abram, 352 U.S. 432 (1957)
Cafeteria and Restaurant Workers Union v. McElroy,
367 U.S. 886 (1961)
Ewing v. Mytinger and Casselberry, Inc., 339 U.S.
594 (1950)
Goldberg v. Kelly, 397 U.S. 254 (1970)
Katz v. United States, 389 U.S. 347 (1967)
Michigan v. Stiz, 494 U.S. 444 (1990)
National Treasury Employees Union v. Von Raab,
489 U.S. 656 (1989)
North American Cold Storage Company v. Chicago,
211 U.S. 306 (1908)
Perkey v. Department of Motor Vehicles, 721 P.2d.
50 (Cal. App. 1986)
10.
Schmerber v. California, 384 U.S. 757 (1966)
Version 2 – Summer 2008

Biometric Technology Application Manual Volume 1 13
Acknowledgments
A special thank you to the following individuals and organizations
that contributed their time and expertise to
the development of this volume.
Jill Allison
Eizen, Fineburg & McCarthy, PC
Gates and Company
Walter Hamilton
Carol A. Harvey
John Holmblad
International Biometric Group
Cletus B. (Boots) Kuhla
Bill McLaughlin
Ramzi Nasir
Daniel Nickell
Richard E. Norton
Fernando Podio
Russ Ryan
John E. Siedlarz
General Orlo Steele
Catherine Tilton
James L. Wayman
Gerald O. Williams
Bill Wilson
Michael Yura
Version 2 – Summer 2008

Biometric Technology Application Manual Index 1
BTAM Index
1:1 (one to one) identification p.2.12,
57; 3.13, 54, 60; 7.58, 63
1:N (one to many) identification
p.2.12, 15, 24, 57; 3.13, 53; 7.58, 62,
63, 64
Access control p.1.2, 3, 4, 5; 2.7, 11, 12,
14, 16, 18, 22, 26, 27, 34, 37, 38, 58;
3.11, 18, 19, 21, 22, 24, 32, 38, 41,
42, 49, 65, 67; 4.1, 3, 4, 14, 16, 17, 18,
19, 20, 21, 22, 23, 24, 25, 27, 29, 33,
37; 5.1, 21, 33, 34; 6.46; 7.26, 30, 37;
8.3, 8
Accredited Standards Committee X9
(ASC X9 ) p.5.24
Accuracy of biometric systems: see
also robustness
Acquisition device p.2.5, 37
Active imposter acceptance p. 2.37
Alarms p. 4.27
Algorithm p. 2.37
American National Standards Insti-
tute (ANSI ) p. 2.38; 5.29
And (anding) / or (oring) process p. 2.38
ANSI: see American National Stan-
dards Institute
ANSI INCITS: see International Com-
mittee for Information Technology
Standards
Anti-abuse policy p. 7.71-72
Asynchronous multi-modality p. 2.39
Application concept: see system con-
cept
Application, definition of p. 2.38
Version 2 – Summer 2008
Application profile p. 2.38
Application program interface (API)
p. 2.29, 38
Application specific integrated circuit
(ASIC) p. 2.38
Army Research Lab (ARL) p. 6.43
ASC X9: see Accredited Standards
Committee X9
Attack p. 2.39
Attempt p. 2.39
Attribute authority p. 2.39
Audit trail p. 2.39
Authentication p. 2.40
Authentication routine p. 2.40
Automated Access Control Portal p.
4.24-29
Automated fingerprint identification
system (AFIS) p. 2.37, 40
Automatic ID / auto ID p. 2.40
Background investigations p. 2.23
Base standard p. 2.40
Behavioral biometric p. 2.41
Bertillon, Alphonse p. 2.2
Bertillonage p. 2.2
Bifurcation p. 2.41; 3.14
Bio API p. 2. 41; 6.32
Biometric, definition p. 2.41
Biometric application p. 2.41
Biometric application programming
interface (BAPI) p. 2.41; 5.17, 20
Biometric Consortium p. 5.10, 29, 30
Biometric data p. 2.42
Biometric engine p. 2.42

Index 2 Biometric Technology Application Manual
Biometric identification device p.
2.42
Biometric identification product p.
2.42
Biometric sample p. 2.42
Biometric system or subsystem p.
2.43; elements of p. 2.19-29
Biometric system-level criteria p.
2.18-19
Biometric taxonomy p. 2.44
Biometric, types of p. 1.3
Biometric technology: appropriate
application of p. 1.4-5; 2.10-13;
3.2-46; 4.2-5; components of p.
2.19; 3.1; definition p. 2.44; his-
tory of p. 2.1-5; general mechanics
of p. 2.7-10; legal considerations
p.7.1-34; new developments p.
8.2-5, 14; standards sec. 5; testing
and evaluation sec. 6
Biometrics Fusion Center (BFC) p.
6.42
Biometrics Technology Center p. 6.44
Body odor: see olfactory analysis
Body salinity p. 3.63
“Breeder documents” p. 2.7, 22
Buffer overflow p. 2.45
Capture p. 2.7, 16, 19, 21, 25, 27, 42,
45, 49, 53, 56, 58; 3.5, 9, 13, 14, 15,
16, 19, 21, 22, 32, 36, 39, 41, 44, 62,
66, 68; 5.27; 6.20; 8.1, 4 7, 13; see
also failure to acquire
Carnegie Mellon p. 6.45
CBEFF: see Common Biometrics Ex-
change File Format
Center for Unified Biometrics and
Sensors (CUBS) p. 6.44
Certificate, certificate authority, certi-
fication p. 2.46
Chaotic morphogenesis p. 2.46
Charge coupled device (CCD) p. 3.21,
44, 65
Claim of identity p. 2.12, 46; 7.54
Claimant p. 2.46
Closed-set identification p. 2.46
CoE no. 108 p. 7.32-33
Combined Domains p. 4.41-43
Combined biometrics p. 8.9, 14
Common Biometrics Exchange File
Format (CBEFF) p. 2.29, 45; 5.3, 4,
20, 23, 24, 27, 28, 29, 31; 6.32, 33
Common criteria p. 2.47; 6.27
Common Data Security Architecture
(CDSA) p. 5.23
Compare p. 2.47
Comparison, comparison errors p.
2.13-16, 19, 26-28
Comparison of biometric technolo-
gies p. 3.45-55
Consent p. 2.23; 4.27; 7.5, 16, 16, 20,
25, 27, 30, 32, 33, 35, 37, 43, 53, 63,
67, 68, 70
Contact/contactless p. 2.47
Controlled environment p. 3.11
Crossover error rate (CER) p. 2.47, 49
Costs p. 1.4; 3.28; 4.22; 6.17, 30; 8.3,
8, 9, 10
Cumulative match characteristic
(CMC) curve p. 6.13-15
D prime p. 2.47
Version 2 – Summer 2008

Biometric Technology Application Manual Index 3
DARPA p. 3.62
Data Protection Act p. 7.25-30
Data Protection Authority p. 7.33
Data Protection Directive p. 7.18, 19,
39, 40, 41
Databases: see template storage
Daugman, John p. 2.4; 3.21; 8.9
Decision errors p. 2.13, 14, 30; 4.16
Degrees of freedom p. 2.48
Demographics p. 4.6; 6.22
Detection of error trade-off (DET)
curve p. 6.14, 35
Digital signature p. 1.5; 2.48, 54, 56,
59; 5.3, 4
Disclosure p. 4.11; 6.23; 7.57, 62-65,
68
Directive 94/46/EC p. 7.19-24
Discriminant training p. 2.48
DNA (deoxyribonucleic acid) p. 2.17,
53; 3.53, 59, 63-64; 7.5, 53; 8.3, 8
Door controller unit p. 4.25
Dynamic signature analysis p. 3.1, 2,
3, 47
Ear shape p. 2.48; 3.65-66
Eigenface p. 2.48; 3.5-6
Eigenhead p. 2.48
Eigenpalm p. 3.30
Elastic bunch graph matching (EBGM)
p. 3.7
Encryption p. 1.5; 2.9, 35, 48, 54, 56,
59, 62; 5.4; 6.46; 7.30, 59, 64
End user p. 2.43, 45, 46, 49, 56, 62, 63;
3.3, 8; 5.5, 10, 14, 15, 30; 6.2, 4, 8, 25;
8.2, 9, 11
End user adaptation p. 2.49
Version 2 – Summer 2008
Enrollee p. 2.49
Enrollment p. 1.2, 8; 2.7, 8, 9, 10, 12,
13, 14, 15, 17, 19, 20, 21, 22, 23, 24,
25, 27, 28, 29, 32, 42, 43, 44, 49, 50,
51, 52, 53, 57, 61, 6; 3.2, 3, 4, 5, 10,
11, 20, 23, 26, 27, 28, 33, 39, 41, 44,
47, 50, 53, 66; 4.7, 13, 20, 21, 23, 24,
25, 29, 30, 31, 33, 34, 35, 36, 37, 38,
39, 40, 42, 43; 5.13, 27; 6.5, 12, 20,
31; 7.3, 5, 6, 15, 49, 50, 56, 61, 63, 64,
77, 78; 8.5
Enrollment station p. 2.43
Enrollment time p. 2.32, 49
Equal error rate (EER) p. 2.47, 49; see
also crossover error rate
Errors, causes of p. 6.19; see also fail-
ure to acquire, failure to enroll,
false accept, false match, false non-
match, false reject
European Biometrics Forum (EBF) p.
6.44
European Committee for Standardiza-
tion, Information Society Standard-
ization System (CEN/ISSS) p. 5.15
European Union p. 7.23, 24, 39
European Union Data Protection Di-
rective (EU Privacy Directive) p.
7.40-42
Evaluation protocols p. 6.36
Extraction p. 2.49
Face monitoring p. 2.49; see also fa-
cial imaging, facial thermography
Face Recognition Grand Challenge p.
6.39
Face Recognition Vendor Test (FRVT)

Index 4 Biometric Technology Application Manual
p. 6.38
Facial imaging, facial recognition p.
3.5-12
Facial thermography p. 2.49; 3.8,
66-67
Failure to acquire, failure to acquire
rate p. 2.16, 26, 49-50; 4.15, 30, 31;
6.20, 21; 8.13
Failure to enroll p. 2.26; 4.9, 30, 31;
6.19-20
False accept, false accept rate (FAR)
p. 2.14, 15, 16, 26, 27, 29, 30, 49, 50;
3.4; 4.14, 16; 6.2, 18, 21, 26; 7.14, 15;
8.13; see also false non-match
False match, false match rate (FMR) p.
2.13, 14, 15, 16, 51; 3.23; 4.9, 14, 16,
18, 30, 31; 6.13, 14, 16, 19
False non-match, false non-match
rate (FNMR) p. 2.13, 14, 15, 16, 51;
4.14, 16, 17, 30, 31, 32; 6.15, 16, 19
False reject, false reject rate (FRR) p.
2.14, 15, 16, 26, 27, 29, 30, 49, 51,
52, 59; 3.17; 4.9, 14, 15, 16, 18; 6.2,
13, 14, 19, 21; 7.14, 15, 28, 73; 8.13;
see also false non-match; failure to
acquire
Federal Privacy Act of 1974 p. 7.35
FERET p. 6.38, 43
Field test p. 2.52; 6.24
Finger geometry p. 3.19, 37, 67
Finger image p. 1.3; 2.40, 52, 56, 57;
3.30; 5.2
Fingernail patterns p. 8.4
Fingerprint p. 2.1-5, 17-18, 20, 25, 26,
34, 37, 40, 41, 53, 54, 58, 60, 63; 3.1,
4, 12, 13, 14, 15, 16, 17, 18, 20, 23,
30, 31, 32, 33, 37, 45, 48, 65; 4.11,
15, 20, 21, 31; 5.2, 30; 6.1, 7, 37, 38,
41, 44, 45; 7.12, 13, 14, 27, 28, 48,
50, 59, 73, 76; 8.1, 3, 6, 9, 10, 11, 13
Fingerprint sensor p. 2.53; 3.37
Fingerprint Verification Competition
(FVC) p. 6.45
Fourier transform p. 3.30
Foundation documents p.2.22, 53, 61;
see also “breeder documents”
FpVTE 2003 p. 6.37-38
Friction ridges p. 2.53
Function creep p. 7.4, 45
Gabor filters p. 3.7, 30
Gait p. 3.55, 68, 69, 41; 8.4, 7
Galton, Sir Francis p. 2.3
Genetic penetrance p. 2.53
Hand geometry p. 2..4, 58; 3.1, 18,
19, 20, 21, 30, 32, 37, 49, 65, 67, 68;
4.11, 20, 21; 6.44; 7.74; 8.1, 3
Hand vascular pattern recognition
systems: see vein pattern
Hash function p. 2.54
Hashing p. 2.35, 54
Health Insurance Portability and Ac-
countability Act (HIPAA) of 1996 p.
7.40, 71
Herschel, Sir William p. 2.2
Henry, Sir Edward Richard p. 2.3
Human Recognition Services Module
(HRS) p. 5.23
Identification p. 2.15-16; 6.4; 7.6, 64;
see also 1:N identification systems
Version 2 – Summer 2008

Biometric Technology Application Manual Index 5
Identification applications p. 2.12;
3.29
Identification levels p. 1.3
Identifier p. 2.55
Identity p. 1.2, 2.55
Identity management: p. 1.6-8; defi-
nition p. 1.6
Identity source documents: see
“breeder documents”
Identity theft p. 1.4-6; 2.33; 3.43; 5.49,
31; 7.56, 75; 8.11
Impediments to use of biometrics p.
1.4
Imposter p. 2.55
INCITS: see International Committee
for Information Technology Stan-
dards
INCITS M1 p. 2.55; 5.8, 11-12, 18-22;
6.24, 32-33
Information access control: see logi-
cal access control
Information assurance (IA) p. 2.55
Information systems p. 4.11, 14; 7.49
Information Technology Industry
Council (ITI) p. 2.56
Infra-red (IR) light p. 3.21-22, 67
In-house test p. 2.56
Integrated Automated Fingerprint
Identification System (IAFIS) p.
2.54; 6.41
Interface with other systems p. 2.29;
4.5, 6
International Biometric Industry As-
sociation (IBIA) p. 2.4; 5.31; 7.70
International Biometrics Association
(IBA) p. 2.4
Version 2 – Summer 2008
International Biometrics Group (IBG)
p. 6.46
International Civil Aviation Organiza-
tion (ICAO) p. 5.5, 7, 14, 28
International Committee for Informa-
tion Technology Standards (INCITS)
p. 2.55; 5.18; 6.32; see also INCITS
M1
International Electrotechnical Com-
mission (IEC) p. 2.54; 5.16; 6.28-30
International Engineering Consor-
tium p. 5.7
International Standards Organization
(ISO) p. 2.56; 5.15-16; see also ISO/
IEC JTC 1
Iridology p. 3.24
Iris recognition p. 2.4-5, 28; 3.1, 21-25;
4.11, 15; 5.21; 6.39-40; 8.1, 7, 10
IrisCode ® p. 2.56; 3.22-23
ISO/IEC JTC 1 p. 5.2, 4, 16-19, 30
Japan: see Personal Information Pro-
tection Act
Johns Hopkins University p. 6.46
Joint Technical Committee 1 (JTC 1) p.
2.56; 5.2, 4, 16
Key p. 2.56
Keystroke analysis / keystroke dynam-
ics p. 3.25-29
Latent, latent print p. 2.56
Law: international p. 7.18-34; U.S. p.
7.8-17
LDC/University of Pennsylvania p.
6.45

Index 6 Biometric Technology Application Manual
LISTSERV p. 5.30
Live capture p. 2.56
Local correlation analysis p. 3.7
Local feature analysis p. 3.6
Logical access control (information
access control) p. 3.42; 4.3; 6.46
M 1.2 p. 5.2, 6, 19-20
M 1.3 p. 5.20
M 1.4 p. 5.21
M 1.5 p. 5.11, 21-22; 6.2
M 1.6 p. 5.2, 22
M1 Technical Committee on
Biometrics: see INCITS M1
Match, matching: see 1:1, 1:N, com-
pare, comparison
Michigan State University p. 6.44-45
Miniaturization p. 8.8, 13
Minutiae p. 2.57; 3.14-18, 30; 5.2, 20
Mission creep: see function creep
MIT/Lincoln Lab p. 6.45
National Biometric Security Project
(NBSP) p. Abstract. ix-xi, xvi-xvii;
2.4-5; 6.20-25; 6.33, 41-42; 7.24;
8.11; see also Qualified Products
List
National Institute of Standards and
Technology (NIST) p. 3.10; 5.10,
14, 28-32; 6.37-41; see also FpVTE
2003
National Physical Laboratory (NPL) p.
2.4; 6.42
National Security Agency (NSA) p.
5.30
Networking of biometric systems p.
2.19-29
NIST: see National Institute of Stan-
dards and Technology
NIST/BC Biometric WG p. 5.29
NISTIR p. 5.28
Non-repudiation p. 2.57
Notre Dame p. 6.45
OASIS: see Organization for the Ad-
vancement of Structured Informa-
tion Standards
Olfactory analysis p. 3.62; 8.4
One-to-many comparison p. 2.57; see
also 1:N identification
One-to-one comparison p. 2.57; see
also 1:1 identification
Oneness of source p. 1.2
Open Group, The p. 5.23
Open-set identification p. 2.57
Operating environment p. 2.11;
4.5-13; 6.9, 26, 37
Operating speed p. 4.8
Operational considerations, opera-
tional constraints p. 4.5-7
Operational testing p. 6.8-12
Optical sensor p. 2.57; 3.36
Organization for the Advancment of
Structured Information Standards
(OASIS) p. 5.23
Organization for Economic Coopera-
tion and Development (OECD) p.
7.18
Out of set p. 2.57
Palmprint p. 2..2; 3.30-32
Passive imposter acceptance p. 2.58
Version 2 – Summer 2008

Biometric Technology Application Manual Index 7
Password p. 58; 3.1, 25-29, 43; 4.16-19,
22, 23; 7.55-56
Performance: criteria p. 2.58; mea-
surement of p. 6.16-20; specifica-
tion p. 4.7-11; variables affecting
p. 2.31-32
Persistence p. 8.5
Personal biometric criteria p. 2.17-18
Personal data protection law (CPDL)
p. 7.32
Personal digital assistant (PDA) p. 3.2
Personal Information Protection Act
(PIPA) p. 7.68-69
Physical access control p. 4.3, 33-36
PIN p. 2..32, 46, 58; 3.50
Platen p. 2.58
Plug-and-play p. 2.58
Podio, Fernando p. 5.10
Police Information Technology Orga-
nization (PTO) p. 6.38
Positive ID systems p. 2.14, 16
Pre-enrollment process p. 2.21-23
Print Card p. 2.37
Print match or identification p. 2.37
Privacy concerns p. 1.5; 7.35, 40, 56;
see also law
Private key p. 2.48, 59
Public key p. 2.46, 48, 59; public key
cryptography (PKC) p. 2.58; public
key infrastructure (PKI) p. 2.58
Purdue/BSPAL p. 6.46
Purkinje, Johannes Evangelista p. 2.2
Qualified Products List (QPL) p. 6.20,
21, 42
Version 2 – Summer 2008
Random environment p. 3.11
Receiver operating characteristic
(ROC) curves p. 2.59; 6.13
Recognition p. 2.59
Reference, reference model p. 1.2;
6.19; see also template
Region of interest p. 3.43
Religious concerns p. 7.76
Request to exit (RX) p. 4.26, 27
Requirements definition p. 4.1, 2,
7-12
Response time p. 2.60
Retinal scan p. 2.4; 3.32-35
Rhythm/tapping sequence p. 3.69,
70; see also keystroke analysis
Ridge, ridge ending p. 2.60; 3.13, 15
Robustness p. 2.61; 3.3, 8, 17, 19, 23,
27, 31, 33, 37, 40, 45
Sample size, sample error p. 6.5,
22-23
San Jose State University p. 2.44;
6.45
Sandia National Laboratory p. 6.43
SC 17 p. 5.16-17
SC 27 p. 5.5, 16-17; 6.27
SC 37 p. 5.2, 5-9, 16-19, 22, 30, 32
SCF Data Security p. 5.24
Scalability p. 1.4; 6.30-31
Scenario testing p. 5.22; 6.6, 8, 21, 46
Secure Hash Algorithm 1 p. 2.54
Security testing p. 6.27
Sensor, definition of p. 2.61
Signature: see dynamic signature
analysis

Index 8 Biometric Technology Application Manual
Skin spectroscopy, skin texture, skin
contact p. 3.35-38
Skull resonance p. 3.70
Source documents p. 2.22, 44, 53,
61; see also “breeder documents,”
foundation documents
Speech recognition: see voice recog-
nition
Speaker verification p. 3.40-43, 53, 59
Spoofing p. 3.33, 37; 6.2, 16, 25
Standards: compliance to p. 1.4; 4.32;
6.31-34
Support vector machine p. 3.6, 7
Symmetric key p. 2.62
System concept, application concept
p. 4.14
Systems specification p. 4.2, 12-14
Tailgating p. 4.27-28
Task Groups p. 5.11-13
Technical Advisory Group (TAG) p.
2.62; 5.18
Technical requirements p. 4.13
Technology limitations p. 4.8
Technology Testing (algorithm verifi-
cation) p. 5.22, 66
Template p. 1.2, 9; 2.6-7, 10-12, 13-16,
19-22, 25-29, 33-34, 36, 37, 42, 43,
46, 47, 49, 51, 55, 56, 57, 60, 62, 63;
3.3-7, 10-11, 14-15, 22-24, 26-28,
39, 43-44, 47-54, 62, 66; 5.2, 20; 6.1;
7.5, 14; 37, 54, 75; 8.5, 7; see also da-
tabase integrity and security
Testing: performance comparison p.
6.20-21; protocols p. 6.34; types p.
6.25-28
Third party test p. 2.62
Threshold, decision p. 2.8; 7.14-15
Throughput, throughput rate p. 2..62;
4.7-9, 32; 6.2, 7, 15, 17, 20-21, 30-31;
8.3; see also operating speed
TNO TPD p. 6.43
Transaction management p. 2.35
Transaction storage p. 2.35
Transfer of data, international p. 7.41
Type I error p. 2.51-52, 62; see also
false reject
Type II error p. 2.50, 62
Typing rhythms: see keystroke analy-
sis
United Kingdom: see Data Protection
Act
United States Naval Academy p. 6.46
Universal unique identifiers
p.7.57-58
University of Bologna p.6.45
University of Buffalo p. 6.44
University of California San Diego p.
6.45
University of Edinburgh p. 6.45
University of Maryland p. 6.45
User p. 2..6-12, 20-21, 63; 4.4-7;
7.55-67, 74-76; education of p.
7.77-78; see also acceptance of bio-
metric technologies
Validation p. 2.63
Vein pattern p. 3.43-46; 8.4; see also
facial thermography
Verification, verify p. 2.62; applications
p. 2.12, 21-22; time p. 2.34-35
Visitor and Immigrant Status Indicator
Version 2 – Summer 2008

Biometric Technology Application Manual Index 9
Technology (VISIT) p. 6.38; 7.46-48
Voice print: see speaker verification
Voice recognition p. 2.5; 3.38-43; 4.11;
8.1-2
Volatiles p. 2.63; 3.62
von der Marlsburg, Christoph p. 3.7
Vulnerability p. 4.5-6; 6.9, 16, 25-26;
7.66, 71; see also spoofing
Wavelet p. 3.30
Wavelet scalar quantization p. 2.63
WD 19792 p. 6.27
West Virginia University p. 6.45
WG 1, 2, 3, 4, 6 p. 5.17-18, 22; WG 5
p. 5.18; 6.32
X9.84 Biometrics p. 2.64; 5.24; see
also Accredited Standards Com-
mittee X9
XCBF p. 5.3-4, 23
XML p. 5.4, 23
Zero effort imposter, zero effort at-
tack p. 2.30, 64
Version 2 – Summer 2008

BIOMETRICS FOR NATIONAL SECURITY (BiNS V)
Contract Number: H98230-06-C-0382
Deliverable: 08-037-CDRL-A006
NBSP Coordination and Approval
Task Manager: Russ Ryan
Program Manager: Valerie Evanoff
Program Director: Richard E. Norton
Quality Control: Carol Harvey
Government Acceptance
_________________________________
Contract Technical Representative Name
_________________________________
Signature
_________________________________
Date